CVE-2024-41117 - OpenCVE

streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489, the `vis_params` variable on line 115 in `pages/10_🌍_Earth_Engine_Datasets.py` takes user input, which is later used in the `eval()` function on line 126, leading to remote code execution. Commit c4f81d9616d40c60584e36abb15300853a66e489 fixes this issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Opengeos	Streamlit-geospatial

Configuration 1 [-]

cpe:2.3:a:opengeos:streamlit-geospatial:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/10_%F0%9F%8C%8D_Earth_Engine_Datasets.py#L115
https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/10_%F0%9F%8C%8D_Earth_Engine_Datasets.py#L126
https://github.com/opengeos/streamlit-geospatial/commit/c4f81d9616d40c60584e36abb15300853a66e489
https://securitylab.github.com/advisories/GHSL-2024-100_GHSL-2024-108_streamlit-geospatial/

History

Mon, 26 Aug 2024 18:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Opengeos Opengeos streamlit-geospatial
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:opengeos:streamlit-geospatial::::::::
Vendors & Products		Opengeos Opengeos streamlit-geospatial

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-07-26T20:49:44.689Z

Updated: 2024-08-02T04:46:52.277Z

Reserved: 2024-07-15T15:53:28.322Z

Link: CVE-2024-41117

Vulnrichment

Updated: 2024-08-02T04:46:52.277Z

NVD

Status : Analyzed

Published: 2024-07-26T21:15:13.443

Modified: 2024-08-26T17:33:29.180

Link: CVE-2024-41117

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-41117", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-07-15T15:53:28.322Z", "datePublished": "2024-07-26T20:49:44.689Z", "dateUpdated": "2024-08-02T04:46:52.277Z"}, "containers": {"cna": {"title": "Remote code execution in streamlit geospatial in pages/10_\ud83c\udf0d_Earth_Engine_Datasets.py", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://securitylab.github.com/advisories/GHSL-2024-100_GHSL-2024-108_streamlit-geospatial/", "tags": ["x_refsource_CONFIRM"], "url": "https://securitylab.github.com/advisories/GHSL-2024-100_GHSL-2024-108_streamlit-geospatial/"}, {"name": "https://github.com/opengeos/streamlit-geospatial/commit/c4f81d9616d40c60584e36abb15300853a66e489", "tags": ["x_refsource_MISC"], "url": "https://github.com/opengeos/streamlit-geospatial/commit/c4f81d9616d40c60584e36abb15300853a66e489"}, {"name": "https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/10_%F0%9F%8C%8D_Earth_Engine_Datasets.py#L115", "tags": ["x_refsource_MISC"], "url": "https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/10_%F0%9F%8C%8D_Earth_Engine_Datasets.py#L115"}, {"name": "https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/10_%F0%9F%8C%8D_Earth_Engine_Datasets.py#L126", "tags": ["x_refsource_MISC"], "url": "https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/10_%F0%9F%8C%8D_Earth_Engine_Datasets.py#L126"}], "affected": [{"vendor": "opengeos", "product": "streamlit-geospatial", "versions": [{"version": "< c4f81d9616d40c60584e36abb15300853a66e489", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-26T20:49:44.689Z"}, "descriptions": [{"lang": "en", "value": "streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489, the `vis_params` variable on line 115 in `pages/10_\ud83c\udf0d_Earth_Engine_Datasets.py` takes user input, which is later used in the `eval()` function on line 126, leading to remote code execution. Commit c4f81d9616d40c60584e36abb15300853a66e489 fixes this issue."}], "source": {"advisory": "GHSA-mmww-2w5p-78w6", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "opengeos", "product": "streamlit-geospatial", "cpes": ["cpe:2.3:a:opengeos:streamlit-geospatial:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "c4f81d9616d40c60584e36abb15300853a66e489", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-28T13:43:58.700151Z", "id": "CVE-2024-41117", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-28T13:44:03.410Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:46:52.277Z"}, "title": "CVE Program Container", "references": [{"name": "https://securitylab.github.com/advisories/GHSL-2024-100_GHSL-2024-108_streamlit-geospatial/", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://securitylab.github.com/advisories/GHSL-2024-100_GHSL-2024-108_streamlit-geospatial/"}, {"name": "https://github.com/opengeos/streamlit-geospatial/commit/c4f81d9616d40c60584e36abb15300853a66e489", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/opengeos/streamlit-geospatial/commit/c4f81d9616d40c60584e36abb15300853a66e489"}, {"name": "https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/10_%F0%9F%8C%8D_Earth_Engine_Datasets.py#L115", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/10_%F0%9F%8C%8D_Earth_Engine_Datasets.py#L115"}, {"name": "https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/10_%F0%9F%8C%8D_Earth_Engine_Datasets.py#L126", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/10_%F0%9F%8C%8D_Earth_Engine_Datasets.py#L126"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://securitylab.github.com/advisories/GHSL-2024-100_GHSL-2024-108_streamlit-geospatial/", "name": "https://securitylab.github.com/advisories/GHSL-2024-100_GHSL-2024-108_streamlit-geospatial/", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/opengeos/streamlit-geospatial/commit/c4f81d9616d40c60584e36abb15300853a66e489", "name": "https://github.com/opengeos/streamlit-geospatial/commit/c4f81d9616d40c60584e36abb15300853a66e489", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/10_%F0%9F%8C%8D_Earth_Engine_Datasets.py#L115", "name": "https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/10_%F0%9F%8C%8D_Earth_Engine_Datasets.py#L115", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/10_%F0%9F%8C%8D_Earth_Engine_Datasets.py#L126", "name": "https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/10_%F0%9F%8C%8D_Earth_Engine_Datasets.py#L126", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:46:52.277Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-41117", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-07-28T13:43:58.700151Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:opengeos:streamlit-geospatial:*:*:*:*:*:*:*:*"], "vendor": "opengeos", "product": "streamlit-geospatial", "versions": [{"status": "affected", "version": "0", "lessThan": "c4f81d9616d40c60584e36abb15300853a66e489", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-28T13:41:14.579Z"}}], "cna": {"title": "Remote code execution in streamlit geospatial in pages/10_\ud83c\udf0d_Earth_Engine_Datasets.py", "source": {"advisory": "GHSA-mmww-2w5p-78w6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "opengeos", "product": "streamlit-geospatial", "versions": [{"status": "affected", "version": "< c4f81d9616d40c60584e36abb15300853a66e489"}]}], "references": [{"url": "https://securitylab.github.com/advisories/GHSL-2024-100_GHSL-2024-108_streamlit-geospatial/", "name": "https://securitylab.github.com/advisories/GHSL-2024-100_GHSL-2024-108_streamlit-geospatial/", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/opengeos/streamlit-geospatial/commit/c4f81d9616d40c60584e36abb15300853a66e489", "name": "https://github.com/opengeos/streamlit-geospatial/commit/c4f81d9616d40c60584e36abb15300853a66e489", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/10_%F0%9F%8C%8D_Earth_Engine_Datasets.py#L115", "name": "https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/10_%F0%9F%8C%8D_Earth_Engine_Datasets.py#L115", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/10_%F0%9F%8C%8D_Earth_Engine_Datasets.py#L126", "name": "https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/10_%F0%9F%8C%8D_Earth_Engine_Datasets.py#L126", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489, the `vis_params` variable on line 115 in `pages/10_\ud83c\udf0d_Earth_Engine_Datasets.py` takes user input, which is later used in the `eval()` function on line 126, leading to remote code execution. Commit c4f81d9616d40c60584e36abb15300853a66e489 fixes this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-26T20:49:44.689Z"}}}, "cveMetadata": {"cveId": "CVE-2024-41117", "state": "PUBLISHED", "dateUpdated": "2024-08-02T04:46:52.277Z", "dateReserved": "2024-07-15T15:53:28.322Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-07-26T20:49:44.689Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opengeos:streamlit-geospatial:*:*:*:*:*:*:*:*", "matchCriteriaId": "7C3566CD-95FC-46B6-B07E-1070B3292047", "versionEndExcluding": "2024-07-19", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489, the `vis_params` variable on line 115 in `pages/10_?_Earth_Engine_Datasets.py` takes user input, which is later used in the `eval()` function on line 126, leading to remote code execution. Commit c4f81d9616d40c60584e36abb15300853a66e489 fixes this issue."}, {"lang": "es", "value": "streamlit-geospatial es una aplicaci\u00f3n multip\u00e1gina optimizada para aplicaciones geoespaciales. Antes de la confirmaci\u00f3n c4f81d9616d40c60584e36abb15300853a66e489, la variable `vis_params` en la l\u00ednea 115 en `pages/10_?_Earth_Engine_Datasets.py` toma la entrada del usuario, que luego se usa en la funci\u00f3n `eval()` en la l\u00ednea 126, lo que lleva a la ejecuci\u00f3n remota de c\u00f3digo. La confirmaci\u00f3n c4f81d9616d40c60584e36abb15300853a66e489 soluciona este problema."}], "id": "CVE-2024-41117", "lastModified": "2024-08-26T17:33:29.180", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-07-26T21:15:13.443", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/10_%F0%9F%8C%8D_Earth_Engine_Datasets.py#L115"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/10_%F0%9F%8C%8D_Earth_Engine_Datasets.py#L126"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/opengeos/streamlit-geospatial/commit/c4f81d9616d40c60584e36abb15300853a66e489"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://securitylab.github.com/advisories/GHSL-2024-100_GHSL-2024-108_streamlit-geospatial/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Secondary"}]}