Lucene search

[email protected]NVD:CVE-2024-41115

HistoryJul 26, 2024 - 9:15 p.m.

CVE-2024-41115

2024-07-2621:15:13

CWE-20

[email protected]

web.nvd.nist.gov

streamlit-geospatial multipage app

remote code execution

fix

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

26.8%

JSON

streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489, the palette variable on line 488 in pages/1_?_Timelapse.py takes user input, which is later used in the eval() function on line 493, leading to remote code execution. Commit c4f81d9616d40c60584e36abb15300853a66e489 fixes this issue.

Affected configurations

Nvd

Node

opengeosstreamlit-geospatialRange<2024-07-19

VendorProductVersionCPE
opengeosstreamlit-geospatial*cpe:2.3:a:opengeos:streamlit-geospatial:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
opengeos	streamlit-geospatial	*	cpe:2.3:a:opengeos:streamlit-geospatial::::::::

References

github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/1_%F0%9F%93%B7_Timelapse.py#L488

github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/1_%F0%9F%93%B7_Timelapse.py#L493

github.com/opengeos/streamlit-geospatial/commit/c4f81d9616d40c60584e36abb15300853a66e489

securitylab.github.com/advisories/GHSL-2024-100_GHSL-2024-108_streamlit-geospatial/

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

26.8%

JSON

Related for NVD:CVE-2024-41115

cvelist1 osv1 vulnrichment1 cve1