PYSEC-2022-248

Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/streamlit/PYSEC-2022-248.yaml
Aliases
Published
2022-08-01T22:15:00Z
Modified
2023-11-08T04:09:52.554382Z
Details

Streamlit is a data oriented application development framework for python. Users hosting Streamlit app(s) that use custom components are vulnerable to a directory traversal attack that could leak data from their web server file-system such as: server logs, world readable files, and potentially other sensitive information. An attacker can craft a malicious URL with file paths and the streamlit server would process that URL and return the contents of that file or overwrite existing files on the web-server. This issue has been resolved in version 1.11.1. Users are advised to upgrade. There are no known workarounds for this issue.

References

Affected packages

PyPI / streamlit

Package

Name
streamlit

Affected ranges

Type
GIT
Repo
https://github.com/streamlit/streamlit
Events
Introduced
0The exact introduced commit is unknown
Fixed
Type
ECOSYSTEM
Events
Introduced
0.63.0
Fixed
1.11.1

Affected versions

0.*

0.63.0
0.63.1
0.64.0
0.65.0
0.65.1
0.65.2
0.66.0
0.67.0
0.67.1
0.68.0
0.68.1
0.69.0
0.69.1
0.69.2
0.70.0
0.71.0
0.72.0
0.73.0
0.73.1
0.74.0
0.74.1
0.75.0
0.76.0
0.77.0
0.78.0
0.79.0
0.80.0
0.81.0
0.81.1
0.82.0
0.83.0
0.84.0
0.84.1
0.84.2
0.85.0
0.85.1
0.86.0
0.87.0
0.88.0
0.89.0

1.*

1.0.0
1.1.0
1.2.0
1.3.0
1.3.1
1.4.0
1.5.0
1.5.1
1.6.0rc3
1.6.0rc4
1.6.0
1.7.0
1.8.0rc1
1.8.0
1.8.1rc1
1.8.1
1.9.0rc1
1.9.0
1.9.1rc1
1.9.1rc2
1.9.1
1.9.2rc1
1.9.2
1.10.0rc1
1.10.0rc2
1.10.0
1.11.0rc1
1.11.0
1.11.1rc1