CVE-2022-35918 : Security Advisory and Response
Learn about CVE-2022-35918 affecting Streamlit users. Understand the impact, affected versions, and steps to mitigate the directory traversal vulnerability.
Streamlit directory traversal vulnerability
Understanding CVE-2022-35918
Streamlit users hosting applications with custom components are vulnerable to a directory traversal attack, potentially leaking sensitive data from the server file-system.
What is CVE-2022-35918?
Streamlit is a data-oriented application development framework for Python. The vulnerability allows an attacker to craft malicious URLs to access sensitive files on the server.
The Impact of CVE-2022-35918
The vulnerability has a CVSS base score of 6.5 (Medium severity) with high confidentiality impact. Attackers can potentially access server logs and other sensitive information.
Technical Details of CVE-2022-35918
Vulnerability Description
Users of Streamlit versions greater than or equal to 0.63.0 and less than 1.11.1 are affected by this directory traversal vulnerability.
Affected Systems and Versions
Streamlit versions >= 0.63.0, < 1.11.1
Exploitation Mechanism
Attackers can exploit this vulnerability by crafting malicious URLs with file paths to access sensitive data stored on the server.
Mitigation and Prevention
Immediate Steps to Take
Users are advised to upgrade to version 1.11.1 to mitigate the vulnerability. There are currently no known workarounds for this issue.
Long-Term Security Practices
Regularly updating Streamlit and other software components can help in preventing such vulnerabilities in the future.
Patching and Updates
Refer to the provided links for the official advisory and commit containing the fix.