CVE-2024-45595: 
Python vulnerability analysis and mitigation

D-Tale, a visualizer for Pandas data structures, contains a remote code execution vulnerability (CVE-2024-45595) that affects versions prior to 3.14.1. The vulnerability allows attackers to run malicious code on the server when D-Tale is hosted publicly. The issue was discovered and disclosed on September 10, 2024, with a patch released in version 3.14.1 (GitHub Advisory).

The vulnerability exists in the 'Custom Filter' input functionality within the Chart Builder feature. The issue received a CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) from NVD, while GitHub assessed it with a score of 6.1 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

When D-Tale is hosted publicly, attackers can exploit this vulnerability to execute arbitrary code on the server through the Query input on Chart Builder, potentially leading to unauthorized access and system compromise (GitHub Advisory).

The primary mitigation is to upgrade to D-Tale version 3.14.1 or later, where the 'Custom Filter' input is disabled by default. For users unable to upgrade, the only workaround is to restrict D-Tale access to trusted users only. In version 3.14.1, users can explicitly enable the 'Custom Filter' functionality if needed, but should do so with caution (GitHub Advisory, D-Tale Patch).