Solara Pure Python Framework Vulnerable to Local File Inclusion (LFI) Exploit

CVE-2024-39903

8.6HIGH

Key Information

Vendor: Widgetti
Status: Solara
Vendor: CVE Published:; 12 July 2024

Summary

Solara is a pure Python, React-style framework for scaling Jupyter and web apps. A Local File Inclusion (LFI) vulnerability was identified in widgetti/solara, in version <1.35.1, which was fixed in version 1.35.1. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../' when serving static files. An attacker can exploit this flaw by manipulating the fragment part of the URI to read arbitrary files on the local file system.

Affected Version(s)

solara = < 1.35.1

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Jul 12, 2024
Vulnerability Reserved.
Jul 2, 2024

Collectors

NVD DatabaseMitre Database