PT-2024-29272 · Unknown · Streamlit-Geospatial

Sylwia Budzynska

Published

2024-07-26

Updated

2024-08-26

CVE-2024-41116

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions streamlit-geospatial versions prior to commit c4f81d9616d40c60584e36abb15300853a66e489

Description The issue arises from the vis params variable, which takes user input and is later used in the eval() function, leading to remote code execution. This occurs in the pages/1 📷 Timelapse.py file, specifically on lines 1254 and 1345.

Recommendations For versions prior to commit c4f81d9616d40c60584e36abb15300853a66e489, update to a version that includes the fix from commit c4f81d9616d40c60584e36abb15300853a66e489 to resolve the issue. As a temporary workaround, consider restricting user input to the vis params variable or avoiding the use of the eval() function until the update is applied.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2024-41116

Affected Products

Streamlit-Geospatial

PT-2024-29272 · Unknown · Streamlit-Geospatial

CVE-2024-41116

Weakness Enumeration

Related Identifiers

Affected Products

References · 8