Lucene search

GitHub Advisory DatabaseGHSA-8QW9-GF7W-42X5

HistoryJan 12, 2024 - 5:35 p.m.

Minor fix to previous patch for CVE-2022-35918

2024-01-1217:35:21

GitHub Advisory Database

github.com

cve-2022-35918

directory traversal attack

streamlit apps

security update

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

AI Score

Confidence

High

EPSS

0.002

Percentile

51.6%

JSON

Impact

The initial vulnerability identified in Streamlit apps using custom components, allowing for directory traversal attacks, was addressed in version 1.11.1. However, a minor issue persisted, which could still potentially expose certain files on the server file-system under specific conditions.

Patches

We released an update in version 1.30.0 to further tighten security measures. Users are strongly advised to update to version 1.30.0 immediately for optimal security.

Workarounds

No additional workarounds are necessary once the update to version 1.30.0 is applied.

For more information

If you have any questions or comments about this advisory:

Email us at [email protected]

Affected configurations

Vulners

Node

streamlitstreamlitRange0.63.0≥

streamlitstreamlitRange<1.30.0

References

github.com/advisories/GHSA-8qw9-gf7w-42x5

github.com/streamlit/streamlit/commit/bd0a8996c4c7ec55b9c6557e7b168b0c13a25b90

github.com/streamlit/streamlit/security/advisories/GHSA-8qw9-gf7w-42x5

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

AI Score

Confidence

High

EPSS

0.002

Percentile

51.6%

JSON

Related for GHSA-8QW9-GF7W-42X5