Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS12NGhyLTRqcHgtNTZnY84AAt2n

Streamlit directory traversal vulnerability

Impact

Users hosting Streamlit app(s) that use custom components are vulnerable to a directory traversal attack that could leak data from their web server file-system such as: server logs, world readable files, and potentially other sensitive information.

An attacker can craft a malicious URL with file paths and the streamlit server would process that URL and return the contents of that file.

Patches

On July 27th at 2:20PM PST we rolled out a patch in release 1.11.1. This patch ensures that any file operations are restricted only to the custom component directory and cannot traverse outside of that. We strongly recommend users upgrade to v1.11.1 as soon as possible. We have notified the Streamlit community and popular hosting providers about this issue so they can patch quickly. As a precautionary measure, we are also upgrading all users on Streamlit Cloud wherever possible. We continue to check other occurrences of this vulnerability and monitor potential exploits wherever we can.

Finally, as a general security practice, we recommend users review custom components for any malicious code before using them in their apps. Following security best practices such as running web servers with low privileges, firewalls, etc. for hosting your apps, helps in mitigating the severity of such exploits.

Workarounds

None.

References

https://docs.google.com/document/d/e/2PACX-1vRzF9K6gwv9KnQz---1pt0SdHMVt-CHuKMmdTH1uct7xPcK7vToP4FvYdI84aO6rGfCmrBSaViri0Nd/pub

For more information

If you have any questions or comments about this advisory:

Email us at [email protected]

Permalink: https://github.com/advisories/GHSA-v4hr-4jpx-56gc
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12NGhyLTRqcHgtNTZnY84AAt2n
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 1 year ago
Updated: over 1 year ago

CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Identifiers: GHSA-v4hr-4jpx-56gc, CVE-2022-35918
References:

Repository: https://github.com/streamlit/streamlit
Blast Radius: 30.4

Affected Packages

pypi:streamlit

Dependent packages: 873
Dependent repositories: 48,041
Downloads: 3,918,047 last month
Affected Version Ranges: >= 0.63.0, < 1.11.1
Fixed in: 1.11.1
All affected versions: 0.63.0, 0.63.1, 0.64.0, 0.65.0, 0.65.1, 0.65.2, 0.66.0, 0.67.0, 0.67.1, 0.68.0, 0.68.1, 0.69.0, 0.69.1, 0.69.2, 0.70.0, 0.71.0, 0.72.0, 0.73.0, 0.73.1, 0.74.0, 0.74.1, 0.75.0, 0.76.0, 0.77.0, 0.78.0, 0.79.0, 0.80.0, 0.81.0, 0.81.1, 0.82.0, 0.83.0, 0.84.0, 0.84.1, 0.84.2, 0.85.0, 0.85.1, 0.86.0, 0.87.0, 0.88.0, 0.89.0, 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.5.0, 1.5.1, 1.6.0, 1.7.0, 1.8.0, 1.8.1, 1.9.0, 1.9.1, 1.9.2, 1.10.0, 1.11.0
All unaffected versions: 0.8.2, 0.9.0, 0.11.0, 0.12.2, 0.12.3, 0.12.4, 0.13.0, 0.13.1, 0.13.3, 0.13.5, 0.14.2, 0.15.0, 0.15.1, 0.15.2, 0.15.3, 0.15.4, 0.15.5, 0.15.6, 0.16.0, 0.16.1, 0.16.2, 0.16.3, 0.17.0, 0.17.1, 0.17.2, 0.18.0, 0.18.1, 0.19.0, 0.19.1, 0.20.0, 0.21.0, 0.22.0, 0.22.1, 0.22.2, 0.23.0, 0.24.0, 0.24.1, 0.24.2, 0.24.3, 0.25.0, 0.26.0, 0.26.1, 0.27.0, 0.28.0, 0.29.0, 0.30.0, 0.31.0, 0.32.0, 0.33.0, 0.34.0, 0.35.0, 0.36.0, 0.37.0, 0.40.0, 0.40.1, 0.41.0, 0.42.0, 0.43.0, 0.43.1, 0.43.2, 0.44.0, 0.45.0, 0.46.0, 0.47.0, 0.47.1, 0.47.2, 0.47.3, 0.47.4, 0.48.0, 0.48.1, 0.49.0, 0.50.0, 0.50.1, 0.50.2, 0.51.0, 0.52.0, 0.52.1, 0.52.2, 0.53.0, 0.54.0, 0.55.0, 0.55.2, 0.56.0, 0.57.0, 0.57.1, 0.57.2, 0.57.3, 0.58.0, 0.59.0, 0.60.0, 0.61.0, 0.62.0, 0.62.1, 1.11.1, 1.12.0, 1.12.1, 1.12.2, 1.13.0, 1.14.0, 1.14.1, 1.15.0, 1.15.1, 1.15.2, 1.16.0, 1.17.0, 1.18.0, 1.18.1, 1.19.0, 1.20.0, 1.21.0, 1.22.0, 1.23.0, 1.23.1, 1.24.0, 1.24.1, 1.25.0, 1.26.0, 1.27.0, 1.27.1, 1.27.2, 1.28.0, 1.28.1, 1.28.2, 1.29.0, 1.30.0, 1.31.0, 1.31.1, 1.32.0, 1.32.1, 1.32.2, 1.33.0