Advisories for Pypi/Streamlit package

1. Impacted Products Streamilt Open Source versions before 1.37.0. 2. Introduction Snowflake Streamlit open source addressed a security vulnerability via the static file sharing feature. The vulnerability was patched on Jul 25, 2024, as part of Streamlit open source version 1.37.0. The vulnerability only affects Windows. 3. Path Traversal Vulnerability 3.1 Description On May 12, 2024, Streamlit was informed via our bug bounty program about a path traversal vulnerability in …

Impact The initial vulnerability identified in Streamlit apps using custom components, allowing for directory traversal attacks, was addressed in version 1.11.1. However, a minor issue persisted, which could still potentially expose certain files on the server file-system under specific conditions. Patches We released an update in version 1.30.0 to further tighten security measures. Users are strongly advised to update to version 1.30.0 immediately for optimal security. Workarounds No additional workarounds …

Synopsis: Streamlit open source publicizes a prior security fix implemented in 2021. The vulnerability affected Streamlit versions between 0.63.0 and 0.80.0 (inclusive) and was patched on April 21, 2021. If you are using Streamlit with version before 0.63.0 or after 0.80.0, no action is required.

Streamlit is a data oriented application development framework for python. Users hosting Streamlit app(s) that use custom components is vulnerable to a directory traversal attack that could leak data from their web server file-system such as: server logs, world readable files, and potentially other sensitive information. An attacker can craft a malicious URL with file paths and the streamlit server would process that URL and return the contents of that …