PT-2024-29268 · Pypi · Streamlit-Geospatial
Sylwia Budzynska
·
Published
2024-07-26
·
Updated
2024-08-26
·
CVE-2024-41112
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
streamlit-geospatial versions prior to commit c4f81d9616d40c60584e36abb15300853a66e489
Description
The issue allows for remote code execution due to the use of user input in the
eval() function. Specifically, the palette variable in the pages/1 📷 Timelapse.py file takes user input, which is then evaluated. This could potentially lead to malicious code execution.Recommendations
For versions prior to commit c4f81d9616d40c60584e36abb15300853a66e489, update to a version that includes the fix from commit c4f81d9616d40c60584e36abb15300853a66e489 to resolve the issue. As a temporary workaround, consider restricting user input to the
palette variable in the pages/1 📷 Timelapse.py file to minimize the risk of exploitation.Exploit
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Streamlit-Geospatial