GitHub_MVULNRICHMENT:CVE-2024-41115CVE-2024-41115 Remote code execution in streamlit geospatial in pages/1_📷_Timelapse.py MODIS Ocean Color SMI option palette
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
26.8%
SSVC
Exploitation
poc
Automatable
yes
Technical Impact
total
streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489, the palette variable on line 488 in pages/1_📷_Timelapse.py takes user input, which is later used in the eval() function on line 493, leading to remote code execution. Commit c4f81d9616d40c60584e36abb15300853a66e489 fixes this issue.
ADP Affected
[
{
"cpes": [
"cpe:2.3:a:opengeos:streamlit-geospatial:*:*:*:*:*:*:*:*"
],
"vendor": "opengeos",
"product": "streamlit-geospatial",
"versions": [
{
"status": "affected",
"version": "0",
"lessThan": "c4f81d9616d40c60584e36abb15300853a66e489",
"versionType": "custom"
}
],
"defaultStatus": "unknown"
}
]References
github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/1_%F0%9F%93%B7_Timelapse.py#L488
github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/1_%F0%9F%93%B7_Timelapse.py#L493
github.com/opengeos/streamlit-geospatial/commit/c4f81d9616d40c60584e36abb15300853a66e489
securitylab.github.com/advisories/GHSL-2024-100_GHSL-2024-108_streamlit-geospatial/
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
26.8%
SSVC
Exploitation
poc
Automatable
yes
Technical Impact
total