Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1yeGZmLXZyNXItOGNqNc4AA-jf

Path traveral in Streamlit on windows

1. Impacted Products

Streamilt Open Source versions before 1.37.0.

2. Introduction

Snowflake Streamlit open source addressed a security vulnerability via the static file sharing feature. The vulnerability was patched on Jul 25, 2024, as part of Streamlit open source version 1.37.0. The vulnerability only affects Windows.

3. Path Traversal Vulnerability

3.1 Description

On May 12, 2024, Streamlit was informed via our bug bounty program about a path traversal vulnerability in the open source library. We fixed and merged a patch remediating the vulnerability on Jul 25, 2024. The issue was determined to be in the moderate severity range with a maximum CVSSv3 base score of 5.9

3.2 Scenarios and attack vector(s)

Users of hosted Streamlit app(s) on Windows were vulnerable to a path traversal vulnerability when the static file sharing feature is enabled. An attacker could utilize the vulnerability to leak the password hash of the Windows user running Streamlit.

3.3 Resolution

The vulnerability has been fixed in all Streamlit versions released since Jul 25, 2024. We recommend all users upgrade to Version 1.37.0.

4. Contact

Please contact [email protected] if you have any questions regarding this advisory. If you discover a security vulnerability in one of our products or websites, please report the issue to HackerOne. For more information, please see our Vulnerability Disclosure Policy.

Permalink: https://github.com/advisories/GHSA-rxff-vr5r-8cj5
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yeGZmLXZyNXItOGNqNc4AA-jf
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 3 months ago
Updated: 3 months ago

CVSS Score: 5.9
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N

Identifiers: GHSA-rxff-vr5r-8cj5, CVE-2024-42474
References:

Repository: https://github.com/streamlit/streamlit
Blast Radius: 27.6

Affected Packages

pypi:streamlit

Dependent packages: 1,232
Dependent repositories: 48,041
Downloads: 7,397,447 last month
Affected Version Ranges: < 1.37.0
Fixed in: 1.37.0
All affected versions: 0.8.2, 0.9.0, 0.11.0, 0.12.2, 0.12.3, 0.12.4, 0.13.0, 0.13.1, 0.13.3, 0.13.5, 0.14.2, 0.15.0, 0.15.1, 0.15.2, 0.15.3, 0.15.4, 0.15.5, 0.15.6, 0.16.0, 0.16.1, 0.16.2, 0.16.3, 0.17.0, 0.17.1, 0.17.2, 0.18.0, 0.18.1, 0.19.0, 0.19.1, 0.20.0, 0.21.0, 0.22.0, 0.22.1, 0.22.2, 0.23.0, 0.24.0, 0.24.1, 0.24.2, 0.24.3, 0.25.0, 0.26.0, 0.26.1, 0.27.0, 0.28.0, 0.29.0, 0.30.0, 0.31.0, 0.32.0, 0.33.0, 0.34.0, 0.35.0, 0.36.0, 0.37.0, 0.40.0, 0.40.1, 0.41.0, 0.42.0, 0.43.0, 0.43.1, 0.43.2, 0.44.0, 0.45.0, 0.46.0, 0.47.0, 0.47.1, 0.47.2, 0.47.3, 0.47.4, 0.48.0, 0.48.1, 0.49.0, 0.50.0, 0.50.1, 0.50.2, 0.51.0, 0.52.0, 0.52.1, 0.52.2, 0.53.0, 0.54.0, 0.55.0, 0.55.2, 0.56.0, 0.57.0, 0.57.1, 0.57.2, 0.57.3, 0.58.0, 0.59.0, 0.60.0, 0.61.0, 0.62.0, 0.62.1, 0.63.0, 0.63.1, 0.64.0, 0.65.0, 0.65.1, 0.65.2, 0.66.0, 0.67.0, 0.67.1, 0.68.0, 0.68.1, 0.69.0, 0.69.1, 0.69.2, 0.70.0, 0.71.0, 0.72.0, 0.73.0, 0.73.1, 0.74.0, 0.74.1, 0.75.0, 0.76.0, 0.77.0, 0.78.0, 0.79.0, 0.80.0, 0.81.0, 0.81.1, 0.82.0, 0.83.0, 0.84.0, 0.84.1, 0.84.2, 0.85.0, 0.85.1, 0.86.0, 0.87.0, 0.88.0, 0.89.0, 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.5.0, 1.5.1, 1.6.0, 1.7.0, 1.8.0, 1.8.1, 1.9.0, 1.9.1, 1.9.2, 1.10.0, 1.11.0, 1.11.1, 1.12.0, 1.12.1, 1.12.2, 1.13.0, 1.14.0, 1.14.1, 1.15.0, 1.15.1, 1.15.2, 1.16.0, 1.17.0, 1.18.0, 1.18.1, 1.19.0, 1.20.0, 1.21.0, 1.22.0, 1.23.0, 1.23.1, 1.24.0, 1.24.1, 1.25.0, 1.26.0, 1.26.1, 1.27.0, 1.27.1, 1.27.2, 1.28.0, 1.28.1, 1.28.2, 1.29.0, 1.30.0, 1.31.0, 1.31.1, 1.32.0, 1.32.1, 1.32.2, 1.33.0, 1.34.0, 1.35.0, 1.36.0
All unaffected versions: 1.37.0, 1.37.1, 1.38.0, 1.39.0, 1.40.0, 1.40.1