—

PYSEC-2022-248

상세

Streamlit is a data oriented application development framework for python. Users hosting Streamlit app(s) that use custom components are vulnerable to a directory traversal attack that could leak data from their web server file-system such as: server logs, world readable files, and potentially other sensitive information. An attacker can craft a malicious URL with file paths and the streamlit server would process that URL and return the contents of that file or overwrite existing files on the web-server. This issue has been resolved in version 1.11.1. Users are advised to upgrade. There are no known workarounds for this issue.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

PyPI / streamlit

최초 영향 버전: 0 수정 버전: 80d9979d5f4a00217743d607078a1d867fad8acf

수정 pip install --upgrade 'streamlit>=80d9979d5f4a00217743d607078a1d867fad8acf'

참고

https://github.com/streamlit/streamlit/security/advisories/GHSA-v4hr-4jpx-56gc [ADVISORY]
https://github.com/streamlit/streamlit/commit/80d9979d5f4a00217743d607078a1d867fad8acf [FIX]