CVE-2024-42474: Path traveral in Streamlit on windows
(updated )
1. Impacted Products
Streamilt Open Source versions before 1.37.0.
2. Introduction
Snowflake Streamlit open source addressed a security vulnerability via the static file sharing feature. The vulnerability was patched on Jul 25, 2024, as part of Streamlit open source version 1.37.0. The vulnerability only affects Windows.
3. Path Traversal Vulnerability
3.1 Description
On May 12, 2024, Streamlit was informed via our bug bounty program about a path traversal vulnerability in the open source library. We fixed and merged a patch remediating the vulnerability on Jul 25, 2024. The issue was determined to be in the moderate severity range with a maximum CVSSv3 base score of 5.9
3.2 Scenarios and attack vector(s)
Users of hosted Streamlit app(s) on Windows were vulnerable to a path traversal vulnerability when the static file sharing feature is enabled. An attacker could utilize the vulnerability to leak the password hash of the Windows user running Streamlit.
3.3 Resolution
The vulnerability has been fixed in all Streamlit versions released since Jul 25, 2024. We recommend all users upgrade to Version 1.37.0.
4. Contact
Please contact security@snowflake.com if you have any questions regarding this advisory. If you discover a security vulnerability in one of our products or websites, please report the issue to HackerOne. For more information, please see our Vulnerability Disclosure Policy.
References
- github.com/advisories/GHSA-rxff-vr5r-8cj5
- github.com/pypa/advisory-database/tree/main/vulns/streamlit/PYSEC-2024-153.yaml
- github.com/streamlit/streamlit
- github.com/streamlit/streamlit/commit/3a639859cfdfba2187c81897d44a3e33825eb0a3
- github.com/streamlit/streamlit/security/advisories/GHSA-rxff-vr5r-8cj5
- nvd.nist.gov/vuln/detail/CVE-2024-42474
Detect and mitigate CVE-2024-42474 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →