Path Traversal Vulnerability in Streamlit for Windows Users
CVE-2024-42474

6.5MEDIUM

Key Information:

Vendor

Snowflake

Status
Streamlit
Vendor
CVE Published:
12 August 2024

Badges

πŸ‘Ύ Exploit ExistsπŸ“° News Worthy

What is CVE-2024-42474?

Streamlit, a data-driven application development framework for Python, is susceptible to a path traversal vulnerability when the static file sharing feature is activated on Windows. This flaw could allow attackers to exploit the system and potentially leak the password hash associated with the Windows user running Streamlit. To address this vulnerability, a patch was released on July 25, 2024, as part of version 1.37.0. It is crucial for users of hosted Streamlit applications on Windows to update to this version to mitigate any risks.

News Articles

favicon imageThe Stack

Hash and the data scientist: 3 Python frameworks exposed

A trio of popular Python frameworks – Gradio by Hugging Face, Jupyter Server, and Streamlit from Snowflake – vulnerable to NTLMv2 hash disclosure

References

https://github.com/streamlit/streamlit/security/advisorie...
https://github.com/streamlit/streamlit/commit/3a639859cfd...

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • πŸ‘Ύ

    Exploit known to exist

  • πŸ“°

    First article discovered by The Stack

  • Vulnerability published

.