PT-2024-29273 · Unknown · Streamlit-Geospatial
Sylwia Budzynska
·
Published
2024-07-26
·
Updated
2024-08-26
·
CVE-2024-41117
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
streamlit-geospatial versions prior to commit c4f81d9616d40c60584e36abb15300853a66e489
Description
The issue concerns the use of user input in the
vis params variable, which is later executed by the eval() function, leading to remote code execution. This occurs in the pages/10 🌍 Earth Engine Datasets.py file.Recommendations
For versions prior to commit c4f81d9616d40c60584e36abb15300853a66e489, update to a version that includes the fix from commit c4f81d9616d40c60584e36abb15300853a66e489 to resolve the issue. As a temporary workaround, consider restricting the use of the
eval() function with user-input data until the update is applied.Exploit
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Streamlit-Geospatial