Cyber Resilience

CVE-2024-3408

CriticalPublic PoCRCE

Published: 06 June 2024

Published
06 June 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9174 99.7th percentile
Risk Priority 75 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-3408 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Man D-Tale. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Data Processing Libraries; in the Other ATLAS/OWASP Terms risk domain.

Deeper analysis

man-group/dtale version 3.10.0 contains an authentication bypass and remote code execution vulnerability stemming from a hardcoded SECRET_KEY in its Flask configuration combined with insufficient input validation on custom filter queries. The flaw permits forged session cookies when authentication is enabled and allows arbitrary code execution via the /update-settings endpoint regardless of the enable_custom_filters setting. The issue is tracked under CWE-798 and CWE-94 with a CVSS 3.1 score of 9.8.

An unauthenticated remote attacker can exploit the hardcoded key to impersonate a valid session and then submit crafted filter payloads that bypass intended restrictions, resulting in arbitrary code execution on the server with full confidentiality, integrity, and availability impact.

The referenced commit 32bd6fb4a63de779ff1e51823a456865ea3cbd13 in the dtale repository addresses the input-validation and session-handling weaknesses, while the associated huntr.dev bounty report details the original discovery and reproduction steps for defenders validating patches.

The EPSS score remains elevated near 0.92 with negligible movement between current and peak values.

EU & UK References

Vulnerability details

man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. The vulnerability arises from a hardcoded `SECRET_KEY` in the flask configuration, allowing attackers to forge a session cookie if authentication is…

more

enabled. Additionally, the application fails to properly restrict custom filter queries, enabling attackers to execute arbitrary code on the server by bypassing the restriction on the `/update-settings` endpoint, even when `enable_custom_filters` is not enabled. This vulnerability allows attackers to bypass authentication mechanisms and execute remote code on the server.

CWE(s)

AI Security AnalysisAI

AI Category
Data Processing Libraries
Risk Domain
Other ATLAS/OWASP Terms
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
D-Tale (dtale) is an interactive web-based data exploration and visualization tool built on Pandas, commonly used in data science and ML workflows for data processing, making it a data processing library in the AI/ML context. Flagged on an AI/ML bug bounty platform (Huntr).

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1606.001 Web Cookies Credential Access
Adversaries may forge web cookies that can be used to gain access to web applications or Internet services.
Why these techniques?

Hardcoded SECRET_KEY allows forging session cookies to bypass authentication (T1606.001). Improper input validation enables unauthenticated remote code execution via the /update-settings endpoint (T1190).

Affected Assets

man
d-tale
3.10.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-798

Enables users to notice when hard-coded credentials have been exploited for unauthorized access.

addresses: CWE-798

Security training explicitly warns against hard-coded credentials, lowering their use in systems.

addresses: CWE-798

Policy and procedures prohibit hard-coded credentials in favor of managed authentication.

addresses: CWE-798

External identity providers eliminate the need for hard-coded credentials in applications.

addresses: CWE-798

Changing default authenticators prior to first use and protecting content prevents use of hard-coded credentials.

addresses: CWE-798

Central credential stores and rotation policies remove the need for hard-coded credentials in configuration files or code.

addresses: CWE-798

Intelligence programs surface reports of campaigns that abuse hard-coded credentials in products, prompting removal or replacement and thereby reducing successful exploitation.

addresses: CWE-798

Planned investment enables secure credential storage and management systems instead of hard-coded credentials.

References