CVE-2022-35918: Streamlit directory traversal vulnerability
Recently, a vulnerability that allows attackers to read the web server file system has been patched in Streamlit. Streamlit is an open-source Python library that makes it easy to create and share beautiful, custom web apps for machine learning and data science. In just a few minutes you can build and deploy powerful data apps.
The bug tracked as CVE-2022-35918 (CVSS score 6.5) can be exploited by an attacker to grant data from web servers file systems such as server logs, world-readable files, and potentially other sensitive information.
The security vulnerability affects Streamlit version 1.11.0 and below. However, CVE-2022-35918 does not affect Streamlit Cloud. “An attacker can craft a malicious URL with file paths and the streamlit server would process that URL and return the contents of that file or overwrite existing files on the web-server,” the advisory explains.
On July 27th, Streamlit version 1.11.1 was released to ensure that any file operations are restricted only to the custom component directory and cannot traverse outside of that. We strongly recommend users upgrade to v1.11.1 as soon as possible. Also, users should review custom components for any malicious code before using them in their apps. Following security best practices such as running web servers with low privileges, firewalls, etc. for hosting your apps, helps in mitigating the severity of such exploits.