streamlit-1.14.1-py2.py3-none-any.whl: 1 vulnerabilities (highest severity is: 6.5)

[mend-bolt-for-github]

Vulnerable Library - streamlit-1.14.1-py2.py3-none-any.whl

A faster way to build and share data apps

Library home page: https://files.pythonhosted.org/packages/20/85/c3e1f497648141dd22b51b2f0363cfceff4d22575cae6e448fdb09b647dd/streamlit-1.14.1-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (streamlit version)	Remediation Possible**
CVE-2024-42474	Medium	6.5	streamlit-1.14.1-py2.py3-none-any.whl	Direct	1.26.1	❌

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-42474

Vulnerable Library - streamlit-1.14.1-py2.py3-none-any.whl

A faster way to build and share data apps

Library home page: https://files.pythonhosted.org/packages/20/85/c3e1f497648141dd22b51b2f0363cfceff4d22575cae6e448fdb09b647dd/streamlit-1.14.1-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ streamlit-1.14.1-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

Streamlit is a data oriented application development framework for python. Snowflake Streamlit open source addressed a security vulnerability via the static file sharing feature. Users of hosted Streamlit app(s) on Windows were vulnerable to a path traversal vulnerability when the static file sharing feature is enabled. An attacker could utilize the vulnerability to leak the password hash of the Windows user running Streamlit. The vulnerability was patched on Jul 25, 2024, as part of Streamlit open source version 1.37.0. The vulnerability only affects Windows.

Publish Date: 2024-08-12

URL: CVE-2024-42474

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-rxff-vr5r-8cj5

Release Date: 2024-08-12

Fix Resolution: 1.26.1

Step up your Open Source Security Game with Mend here

[secure-code-warrior-for-github]

Micro-Learning Topic: Path traversal (Detected by phrase)

Matched on "path traversal"

What is this? (2min video)

Path traversal vulnerabilities occur when inputs that have not been sufficiently validated or sanitised are used to build directory or file paths. If an attacker can influence the path being accessed by the server, they may be able to gain unauthorised access to files or even execute arbitrary code on the server (when coupled with file upload functionality).

Try a challenge in Secure Code Warrior

Helpful references

• OWASP Input Validation Cheat Sheet - This cheatsheet is focused on providing clear, simple, actionable guidance for preventing injection and input validation flaws in your applications, including defence against path traversal.
• OWASP Path Traversal - OWASP community page with comprehensive information about path traversal, and links to various OWASP resources to help detect or prevent it.

Micro-Learning Topic: Vulnerable library (Detected by phrase)

Matched on "Vulnerable Library"

What is this? (2min video)

Use of vulnerable components will introduce weaknesses into the application. Components with published vulnerabilities will allow easy exploitation as resources will often be available to automate the process.

Try a challenge in Secure Code Warrior