CVE-2024-41120

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions streamlit-geospatial versions prior to commit c4f81d9616d40c60584e36abb15300853a66e489

Description The issue arises from the url variable in the pages/9 🔲 Vector Data Visualization.py file, which takes user input. This input is then passed to the gpd.read file method, allowing it to create requests to arbitrary destinations. This leads to a blind server-side request forgery.

Recommendations For versions prior to commit c4f81d9616d40c60584e36abb15300853a66e489, update to a version that includes the fix from commit c4f81d9616d40c60584e36abb15300853a66e489 to resolve the issue.

Exploit

Fix

SSRF

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-918CWE-20

Related Identifiers

CVE-2024-41120

Affected Products

Streamlit-Geospatial

CVE-2024-41120

Weakness Enumeration

Related Identifiers

Affected Products

References · 9