GHSA-rxff-vr5r-8cj5

Suggest an improvement
Source
https://github.com/advisories/GHSA-rxff-vr5r-8cj5
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-rxff-vr5r-8cj5/GHSA-rxff-vr5r-8cj5.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-rxff-vr5r-8cj5
Aliases
Published
2024-08-12T18:35:12Z
Modified
2024-11-26T19:08:36.867965Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N CVSS Calculator
  • 6.0 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Path traveral in Streamlit on windows
Details

1. Impacted Products

Streamilt Open Source versions before 1.37.0.

2. Introduction

Snowflake Streamlit open source addressed a security vulnerability via the static file sharing feature. The vulnerability was patched on Jul 25, 2024, as part of Streamlit open source version 1.37.0. The vulnerability only affects Windows.

3. Path Traversal Vulnerability

3.1 Description

On May 12, 2024, Streamlit was informed via our bug bounty program about a path traversal vulnerability in the open source library. We fixed and merged a patch remediating the vulnerability on Jul 25, 2024. The issue was determined to be in the moderate severity range with a maximum CVSSv3 base score of 5.9

3.2 Scenarios and attack vector(s)

Users of hosted Streamlit app(s) on Windows were vulnerable to a path traversal vulnerability when the static file sharing feature is enabled. An attacker could utilize the vulnerability to leak the password hash of the Windows user running Streamlit.

3.3 Resolution

The vulnerability has been fixed in all Streamlit versions released since Jul 25, 2024. We recommend all users upgrade to Version 1.37.0.

4. Contact

Please contact security@snowflake.com if you have any questions regarding this advisory. If you discover a security vulnerability in one of our products or websites, please report the issue to HackerOne. For more information, please see our Vulnerability Disclosure Policy.

Database specific
{
    "nvd_published_at": "2024-08-12T17:15:17Z",
    "cwe_ids": [
        "CWE-22"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-12T18:35:12Z"
}
References

Affected packages

PyPI / streamlit

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.37.0

Affected versions

0.*

0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.8.2
0.9.0
0.11.0
0.12.2
0.12.3
0.12.4
0.13.0
0.13.1
0.13.3
0.13.5
0.14.2
0.15.0
0.15.1
0.15.2
0.15.3
0.15.4
0.15.5
0.15.6
0.16.0
0.16.1
0.16.2
0.16.3
0.17.0
0.17.1
0.17.2
0.18.0
0.18.1
0.19.0
0.19.1
0.20.0
0.21.0
0.22.0
0.22.1
0.22.2
0.23.0
0.24.0
0.24.1
0.24.2
0.24.3
0.25.0
0.26.0
0.26.1
0.27.0
0.28.0
0.29.0
0.30.0
0.31.0
0.32.0
0.33.0
0.34.0
0.35.0
0.36.0
0.37.0
0.40.0
0.40.1
0.41.0
0.42.0
0.43.0
0.43.1
0.43.2
0.44.0
0.45.0
0.46.0
0.47.0
0.47.1
0.47.2
0.47.3
0.47.4
0.48.0
0.48.1
0.49.0
0.50.0
0.50.1
0.50.2
0.51.0
0.52.0
0.52.1
0.52.2
0.53.0
0.54.0
0.55.0
0.55.2
0.56.0
0.57.0
0.57.1
0.57.2
0.57.3
0.58.0
0.59.0
0.60.0
0.61.0
0.62.0
0.62.1
0.63.0
0.63.1
0.64.0
0.65.0
0.65.1
0.65.2
0.66.0
0.67.0
0.67.1
0.68.0
0.68.1
0.69.0
0.69.1
0.69.2
0.70.0
0.71.0
0.72.0
0.73.0
0.73.1
0.74.0
0.74.1
0.75.0
0.76.0
0.77.0
0.78.0
0.79.0
0.80.0
0.81.0
0.81.1
0.82.0
0.83.0
0.84.0
0.84.1
0.84.2
0.85.0
0.85.1
0.86.0
0.87.0
0.88.0
0.89.0

1.*

1.0.0
1.1.0
1.2.0
1.3.0
1.3.1
1.4.0
1.5.0
1.5.1
1.6.0rc3
1.6.0rc4
1.6.0
1.7.0
1.8.0rc1
1.8.0
1.8.1rc1
1.8.1
1.9.0rc1
1.9.0
1.9.1rc1
1.9.1rc2
1.9.1
1.9.2rc1
1.9.2
1.10.0rc1
1.10.0rc2
1.10.0
1.11.0rc1
1.11.0
1.11.1rc1
1.11.1
1.12.0rc1
1.12.0rc2
1.12.0
1.12.1rc1
1.12.1
1.12.2rc1
1.12.2rc2
1.12.2
1.13.0rc1
1.13.0rc2
1.13.0
1.14.0rc1
1.14.0
1.14.1rc1
1.14.1
1.15.0
1.15.1
1.15.2rc1
1.15.2
1.16.0
1.17.0
1.18.0
1.18.1rc1
1.18.1
1.19.0
1.20.0
1.21.0
1.22.0
1.23.0
1.23.1
1.24.0
1.24.1
1.25.0
1.26.0
1.26.1
1.27.0
1.27.1
1.27.2
1.28.0
1.28.1
1.28.2
1.29.0
1.30.0
1.31.0
1.31.1
1.32.0
1.32.1
1.32.2rc1
1.32.2
1.33.0
1.34.0
1.35.0
1.36.0