Streamlit directory traversal vulnerability
CVE-2022-35918

6.5MEDIUM

Key Information:

Vendor: Streamlit
Status: Streamlit
Vendor: CVE Published:; 1 August 2022

What is CVE-2022-35918?

Streamlit is a data oriented application development framework for python. Users hosting Streamlit app(s) that use custom components are vulnerable to a directory traversal attack that could leak data from their web server file-system such as: server logs, world readable files, and potentially other sensitive information. An attacker can craft a malicious URL with file paths and the streamlit server would process that URL and return the contents of that file. This issue has been resolved in version 1.11.1. Users are advised to upgrade. There are no known workarounds for this issue.

Affected Version(s)

streamlit >= 0.63.0, < 1.11.1

References

https://github.com/streamlit/streamlit/security/advisorie...

x_refsource_CONFIRM

https://github.com/streamlit/streamlit/commit/80d9979d5f4...

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 1, 2022
Vulnerability Reserved
Jul 15, 2022

CVE-2022-35918 Data

JSON