PyPI: streamlit
CVE-2024-42474
Safety vulnerability ID: SFTY-20240812-91083
Safety legacy ID: pyup.io-78762
Affected versions of the `Streamlit` package are vulnerable to Path Traversal due to improper handling of file paths in the static file sharing feature. The static file sharing feature fails to sanitize user input, allowing crafted file paths to access arbitrary files on the server. An attacker can exploit this vulnerability on Windows systems to leak sensitive information, such as the password hash of the Windows user running `Streamlit`, by accessing unauthorized files.
Overview
Path traveral in Streamlit on windows
Advisory
Affected versions of the `Streamlit` package are vulnerable to Path Traversal due to improper handling of file paths in the static file sharing feature. The static file sharing feature fails to sanitize user input, allowing crafted file paths to access arbitrary files on the server. An attacker can exploit this vulnerability on Windows systems to leak sensitive information, such as the password hash of the Windows user running `Streamlit`, by accessing unauthorized files.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20240812-91083/CVE-2024-42474
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42474
- https://github.com/advisories/GHSA-rxff-vr5r-8cj5
- https://github.com/streamlit/streamlit/security/advisories/GHSA-rxff-vr5r-8cj5
- https://nvd.nist.gov/vuln/detail/CVE-2024-42474
- https://github.com/streamlit/streamlit/commit/3a639859cfdfba2187c81897d44a3e33825eb0a3
- https://github.com/pypa/advisory-database/tree/main/vulns/streamlit/PYSEC-2024-153.yaml
- https://github.com/advisories/GHSA-rxff-vr5r-8cj5
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more