CVE-2024-30265: Voilà Local file inclusion
Any deployment of voilà dashboard allow local file inclusion, that is to say any file on a filesystem that is readable by the user that runs the voilà dashboard server can be downloaded by someone with network access to the server.
Whether this still requires authentication depends on how voilà is deployed.
References
- github.com/advisories/GHSA-2q59-h24c-w6fg
- github.com/voila-dashboards/voila
- github.com/voila-dashboards/voila/commit/00d6362c237b6b4d466873535554d6076ead0c52
- github.com/voila-dashboards/voila/commit/28faacc9b03b160fd8fa920ad045f4ec0667ab67
- github.com/voila-dashboards/voila/commit/5542e4ae36bb5d184deaa48f95e76be477756af2
- github.com/voila-dashboards/voila/commit/98b6a40fec27723572314fdbba99bdc147d904c8
- github.com/voila-dashboards/voila/commit/c045be6988539d07cceeb9f82fc660a49485d504
- github.com/voila-dashboards/voila/security/advisories/GHSA-2q59-h24c-w6fg
- nvd.nist.gov/vuln/detail/CVE-2024-30265
Detect and mitigate CVE-2024-30265 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →