CVE-2024-3408 reported on dtale, hardcoded SECRET_KEY on app.py

[jammann]

Hi

I'm not sure you're even aware of CVE-2024-3408 https://nvd.nist.gov/vuln/detail/CVE-2024-3408 which has been reported against dtale. It causes me some headache, because at a customer they refuse upgrading dtale because of this.

It's simply about the hard-coded SECRET_KEY here https://github.com/man-group/dtale/blob/master/dtale/app.py#L323. Now I know this is not going to cause any real issue for me, because I'm using dtale as a component in Jupyter behind a proxy. But still this issue is reported on my application which includes dtale.

I understand that this is probably not a real threat for most users of dtale, but the CVSS score is very high, so "security specialists" at said customer are pushing me to remove dtale from my application because of this.

I wonder if you could just replace the hardcoded 'Dtale' with some dynamically generated random string. That would certainly count as fix for this CVE.

CU, Joe

[aschonfeld]

@jammann how does this look? https://github.com/man-group/dtale/pull/871/files

[jammann]

LGTM!

[jammann]

BTW: are the instructions here https://github.com/man-group/dtale/security/policy still uptodate? According to the history in huntr https://huntr.com/bounties/57a06666-ff85-4577-af19-f3dfb7b02f91 they tried to contact the email address several times over some weeks.

Judging from the speed you implemented a fix after I raised the issue, I assume none of those mails every reached you @aschonfeld , right?

[aschonfeld]

@jammann sorry about that. It looks like there was a miscommunication back in march. Your email was received but when it was forwarded to me it referenced an issue that I had already and therefore I assumed it was just a duplicate. My apologies

[aschonfeld]

@jammann just released v3.13.1 with this fix to pypi (should be on conda-forge within the hour). Let me know if you have any issues