CVE-2024-41114

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions streamlit-geospatial versions prior to commit c4f81d9616d40c60584e36abb15300853a66e489

Description The issue arises from the palette variable, which takes user input on line 430 in pages/1 📷 Timelapse.py. This input is later used in the eval() function on line 435, leading to remote code execution.

Recommendations For versions prior to commit c4f81d9616d40c60584e36abb15300853a66e489, update to a version that includes the fix from commit c4f81d9616d40c60584e36abb15300853a66e489 to resolve the issue. As a temporary workaround, consider restricting the use of the eval() function or sanitizing the palette variable to prevent malicious input.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2024-41114

Affected Products

Streamlit-Geospatial

CVE-2024-41114

Weakness Enumeration

Related Identifiers

Affected Products

References · 9