Lucene search

GitHub_MCVELIST:CVE-2024-41117

HistoryJul 26, 2024 - 8:49 p.m.

CVE-2024-41117 Remote code execution in streamlit geospatial in pages/10_🌍_Earth_Engine_Datasets.py

2024-07-2620:49:44

CWE-20

GitHub_M

www.cve.org

cve-2024-41117

remote code execution

streamlit geospatial

geospatial applications

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

26.1%

JSON

streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489, the vis_params variable on line 115 in pages/10_🌍_Earth_Engine_Datasets.py takes user input, which is later used in the eval() function on line 126, leading to remote code execution. Commit c4f81d9616d40c60584e36abb15300853a66e489 fixes this issue.

CNA Affected

[
  {
    "vendor": "opengeos",
    "product": "streamlit-geospatial",
    "versions": [
      {
        "version": "< c4f81d9616d40c60584e36abb15300853a66e489",
        "status": "affected"
      }
    ]
  }
]

References

github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/10_%F0%9F%8C%8D_Earth_Engine_Datasets.py#L115

github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/10_%F0%9F%8C%8D_Earth_Engine_Datasets.py#L126

github.com/opengeos/streamlit-geospatial/commit/c4f81d9616d40c60584e36abb15300853a66e489

securitylab.github.com/advisories/GHSL-2024-100_GHSL-2024-108_streamlit-geospatial/

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

26.1%

JSON

Related for CVELIST:CVE-2024-41117