logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-42474 streamlit

Package

Manager: pip
Name: streamlit
Vulnerable Version: >=0 <1.37.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00171 pctl0.38784

Details

Path traveral in Streamlit on windows ### 1. Impacted Products Streamilt Open Source versions before 1.37.0. ### 2. Introduction Snowflake Streamlit open source addressed a security vulnerability via the [static file sharing feature](https://docs.streamlit.io/develop/concepts/configuration/serving-static-files). The vulnerability was patched on Jul 25, 2024, as part of Streamlit open source version 1.37.0. The vulnerability only affects Windows. ### 3. Path Traversal Vulnerability #### 3.1 Description On May 12, 2024, Streamlit was informed via our bug bounty program about a path traversal vulnerability in the open source library. We fixed and merged a patch remediating the vulnerability on Jul 25, 2024. The issue was determined to be in the moderate severity range with a maximum CVSSv3 base score of [5.9](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N) #### 3.2 Scenarios and attack vector(s) Users of hosted Streamlit app(s) on Windows were vulnerable to a path traversal vulnerability when the [static file sharing feature](https://docs.streamlit.io/develop/concepts/configuration/serving-static-files) is enabled. An attacker could utilize the vulnerability to leak the password hash of the Windows user running Streamlit. #### 3.3 Resolution The vulnerability has been fixed in all Streamlit versions released since Jul 25, 2024. We recommend all users upgrade to Version 1.37.0. ### 4. Contact Please contact security@snowflake.com if you have any questions regarding this advisory. If you discover a security vulnerability in one of our products or websites, please report the issue to HackerOne. For more information, please see our [Vulnerability Disclosure Policy](https://hackerone.com/snowflake?type=team).

Metadata

Created: 2024-08-12T18:35:12Z
Modified: 2024-11-26T18:52:17Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-rxff-vr5r-8cj5/GHSA-rxff-vr5r-8cj5.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-rxff-vr5r-8cj5
Finding: F063
Auto approve: 1