ghsa-v4hr-4jpx-56gc
Vulnerability from github
Impact
Users hosting Streamlit app(s) that use custom components are vulnerable to a directory traversal attack that could leak data from their web server file-system such as: server logs, world readable files, and potentially other sensitive information.
An attacker can craft a malicious URL with file paths and the streamlit server would process that URL and return the contents of that file.
Patches
On July 27th at 2:20PM PST we rolled out a patch in release 1.11.1. This patch ensures that any file operations are restricted only to the custom component directory and cannot traverse outside of that. We strongly recommend users upgrade to v1.11.1 as soon as possible. We have notified the Streamlit community and popular hosting providers about this issue so they can patch quickly. As a precautionary measure, we are also upgrading all users on Streamlit Cloud wherever possible. We continue to check other occurrences of this vulnerability and monitor potential exploits wherever we can.
Finally, as a general security practice, we recommend users review custom components for any malicious code before using them in their apps. Following security best practices such as running web servers with low privileges, firewalls, etc. for hosting your apps, helps in mitigating the severity of such exploits.
Workarounds
None.
References
- https://docs.google.com/document/d/e/2PACX-1vRzF9K6gwv9KnQz---1pt0SdHMVt-CHuKMmdTH1uct7xPcK7vToP4FvYdI84aO6rGfCmrBSaViri0Nd/pub
For more information
If you have any questions or comments about this advisory: * Email us at security@streamlit.io
{ "affected": [ { "package": { "ecosystem": "PyPI", "name": "streamlit" }, "ranges": [ { "events": [ { "introduced": "0.63.0" }, { "fixed": "1.11.1" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2022-35918" ], "database_specific": { "cwe_ids": [ "CWE-22" ], "github_reviewed": true, "github_reviewed_at": "2022-08-06T05:51:50Z", "nvd_published_at": "2022-08-01T22:15:00Z", "severity": "MODERATE" }, "details": "### Impact\nUsers hosting Streamlit app(s) that use custom components are vulnerable to a directory traversal attack that could leak data from their web server file-system such as: server logs, world readable files, and potentially other sensitive information.\n\nAn attacker can craft a malicious URL with file paths and the streamlit server would process that URL and return the contents of that file.\n\n### Patches\nOn July 27th at 2:20PM PST we rolled out a patch in release 1.11.1. This patch ensures that any file operations are restricted only to the custom component directory and cannot traverse outside of that. We strongly recommend users upgrade to v1.11.1 as soon as possible. We have notified the Streamlit community and popular hosting providers about this issue so they can patch quickly. As a precautionary measure, we are also upgrading all users on Streamlit Cloud wherever possible. We continue to check other occurrences of this vulnerability and monitor potential exploits wherever we can.\n\nFinally, as a general security practice, we recommend users review custom components for any malicious code before using them in their apps. Following security best practices such as running web servers with low privileges, firewalls, etc. for hosting your apps, helps in mitigating the severity of such exploits.\n\n### Workarounds\nNone.\n\n### References\n* https://docs.google.com/document/d/e/2PACX-1vRzF9K6gwv9KnQz---1pt0SdHMVt-CHuKMmdTH1uct7xPcK7vToP4FvYdI84aO6rGfCmrBSaViri0Nd/pub\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [security@streamlit.io](mailto:security@streamlit.io)\n", "id": "GHSA-v4hr-4jpx-56gc", "modified": "2022-08-06T05:51:50Z", "published": "2022-08-06T05:51:50Z", "references": [ { "type": "WEB", "url": "https://github.com/streamlit/streamlit/security/advisories/GHSA-v4hr-4jpx-56gc" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35918" }, { "type": "WEB", "url": "https://github.com/streamlit/streamlit/commit/80d9979d5f4a00217743d607078a1d867fad8acf" }, { "type": "WEB", "url": "https://github.com/pypa/advisory-database/tree/main/vulns/streamlit/PYSEC-2022-248.yaml" }, { "type": "PACKAGE", "url": "https://github.com/streamlit/streamlit" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "type": "CVSS_V3" } ], "summary": "Streamlit directory traversal vulnerability" }
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.