GHSA-8qw9-gf7w-42x5 – streamlit

Package

Manager: pip
Name: streamlit
Vulnerable Version: >=0.63.0 <1.30.0

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Minor fix to previous patch for CVE-2022-35918 ### Impact The initial vulnerability identified in Streamlit apps using custom components, allowing for directory traversal attacks, was addressed in version 1.11.1. However, a minor issue persisted, which could still potentially expose certain files on the server file-system under specific conditions. ### Patches We released an update in version 1.30.0 to further tighten security measures. Users are strongly advised to update to version 1.30.0 immediately for optimal security. ### Workarounds No additional workarounds are necessary once the update to version 1.30.0 is applied. ### For more information If you have any questions or comments about this advisory: * Email us at [security@streamlit.io](mailto:security@streamlit.io)

Metadata

Created: 2024-01-12T17:35:21Z
Modified: 2024-01-12T17:35:21Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-8qw9-gf7w-42x5/GHSA-8qw9-gf7w-42x5.json
CWE IDs: []
Alternative ID: N/A
Finding: F123
Auto approve: 1