Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS04cXc5LWdmN3ctNDJ4Nc4AA4a1

Minor fix to previous patch for CVE-2022-35918

Impact

The initial vulnerability identified in Streamlit apps using custom components, allowing for directory traversal attacks, was addressed in version 1.11.1. However, a minor issue persisted, which could still potentially expose certain files on the server file-system under specific conditions.

Patches

We released an update in version 1.30.0 to further tighten security measures. Users are strongly advised to update to version 1.30.0 immediately for optimal security.

Workarounds

No additional workarounds are necessary once the update to version 1.30.0 is applied.

For more information

If you have any questions or comments about this advisory:

Email us at [email protected]

Permalink: https://github.com/advisories/GHSA-8qw9-gf7w-42x5
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04cXc5LWdmN3ctNDJ4Nc4AA4a1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 11 months ago
Updated: 11 months ago

Identifiers: GHSA-8qw9-gf7w-42x5
References:

Repository: https://github.com/streamlit/streamlit
Blast Radius: 0.0

Affected Packages

pypi:streamlit

Dependent packages: 1,232
Dependent repositories: 48,041
Downloads: 7,397,447 last month
Affected Version Ranges: >= 0.63.0, < 1.30.0
Fixed in: 1.30.0
All affected versions: 0.63.0, 0.63.1, 0.64.0, 0.65.0, 0.65.1, 0.65.2, 0.66.0, 0.67.0, 0.67.1, 0.68.0, 0.68.1, 0.69.0, 0.69.1, 0.69.2, 0.70.0, 0.71.0, 0.72.0, 0.73.0, 0.73.1, 0.74.0, 0.74.1, 0.75.0, 0.76.0, 0.77.0, 0.78.0, 0.79.0, 0.80.0, 0.81.0, 0.81.1, 0.82.0, 0.83.0, 0.84.0, 0.84.1, 0.84.2, 0.85.0, 0.85.1, 0.86.0, 0.87.0, 0.88.0, 0.89.0, 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.5.0, 1.5.1, 1.6.0, 1.7.0, 1.8.0, 1.8.1, 1.9.0, 1.9.1, 1.9.2, 1.10.0, 1.11.0, 1.11.1, 1.12.0, 1.12.1, 1.12.2, 1.13.0, 1.14.0, 1.14.1, 1.15.0, 1.15.1, 1.15.2, 1.16.0, 1.17.0, 1.18.0, 1.18.1, 1.19.0, 1.20.0, 1.21.0, 1.22.0, 1.23.0, 1.23.1, 1.24.0, 1.24.1, 1.25.0, 1.26.0, 1.26.1, 1.27.0, 1.27.1, 1.27.2, 1.28.0, 1.28.1, 1.28.2, 1.29.0
All unaffected versions: 0.8.2, 0.9.0, 0.11.0, 0.12.2, 0.12.3, 0.12.4, 0.13.0, 0.13.1, 0.13.3, 0.13.5, 0.14.2, 0.15.0, 0.15.1, 0.15.2, 0.15.3, 0.15.4, 0.15.5, 0.15.6, 0.16.0, 0.16.1, 0.16.2, 0.16.3, 0.17.0, 0.17.1, 0.17.2, 0.18.0, 0.18.1, 0.19.0, 0.19.1, 0.20.0, 0.21.0, 0.22.0, 0.22.1, 0.22.2, 0.23.0, 0.24.0, 0.24.1, 0.24.2, 0.24.3, 0.25.0, 0.26.0, 0.26.1, 0.27.0, 0.28.0, 0.29.0, 0.30.0, 0.31.0, 0.32.0, 0.33.0, 0.34.0, 0.35.0, 0.36.0, 0.37.0, 0.40.0, 0.40.1, 0.41.0, 0.42.0, 0.43.0, 0.43.1, 0.43.2, 0.44.0, 0.45.0, 0.46.0, 0.47.0, 0.47.1, 0.47.2, 0.47.3, 0.47.4, 0.48.0, 0.48.1, 0.49.0, 0.50.0, 0.50.1, 0.50.2, 0.51.0, 0.52.0, 0.52.1, 0.52.2, 0.53.0, 0.54.0, 0.55.0, 0.55.2, 0.56.0, 0.57.0, 0.57.1, 0.57.2, 0.57.3, 0.58.0, 0.59.0, 0.60.0, 0.61.0, 0.62.0, 0.62.1, 1.30.0, 1.31.0, 1.31.1, 1.32.0, 1.32.1, 1.32.2, 1.33.0, 1.34.0, 1.35.0, 1.36.0, 1.37.0, 1.37.1, 1.38.0, 1.39.0, 1.40.0, 1.40.1