CVE-2024-21642: Server-Side Request Forgery (SSRF)

January 5, 2024

D-Tale is a visualizer for Pandas data structures. Users hosting versions D-Tale prior to 3.9.0 publicly can be vulnerable to server-side request forgery (SSRF), allowing attackers to access files on the server. Users should upgrade to version 3.9.0, where the Load From the Web input is turned off by default. The only workaround for versions earlier than 3.9.0 is to only host D-Tale to trusted users.

References

github.com/advisories/GHSA-7hfx-h3j3-rwq4
github.com/man-group/dtale/commit/954f6be1a06ff8629ead2c85c6e3f8e2196b3df2
github.com/man-group/dtale/security/advisories/GHSA-7hfx-h3j3-rwq4

Detect and mitigate CVE-2024-21642 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →