Back

CVE-2024-41118

July 26, 2024, 9:15 p.m.

Received
CVE has been recently published to the CVE List and has been received by the NVD.

Products

streamlit-geospatial

  • before commit c4f81d9616d40c60584e36abb15300853a66e489

Source

security-advisories@github.com

Tags

security-advisories@github.com
CWE-918
2024-07-26
CVE-2024-41118

CVE-2024-41118 details

Published : July 26, 2024, 9:15 p.m.
Last Modified : July 26, 2024, 9:15 p.m.

Description

streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489, the `url` variable on line 47 of `pages/7_📦_Web_Map_Service.py` takes user input, which is passed to `get_layers` function, in which `url` is used with `get_wms_layer` method. `get_wms_layer` method creates a request to arbitrary destinations, leading to blind server-side request forgery. Commit c4f81d9616d40c60584e36abb15300853a66e489 fixes this issue.

CVSS Score

1 2 3 4 5 6 7.5 8 9 10

Weakness

Weakness Name Description
CWE-918 Server-Side Request Forgery (SSRF) The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

7.5

Exploitability Score

3.9

Impact Score

3.6

Base Severity

HIGH

Vector String : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

URL Source
https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/7_%F0%9F%93%A6_Web_Map_Service.py#L25 security-advisories@github.com
https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/7_%F0%9F%93%A6_Web_Map_Service.py#L47 security-advisories@github.com
https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/7_%F0%9F%93%A6_Web_Map_Service.py#L53 security-advisories@github.com
https://github.com/opengeos/streamlit-geospatial/commit/c4f81d9616d40c60584e36abb15300853a66e489 security-advisories@github.com
https://securitylab.github.com/advisories/GHSL-2024-100_GHSL-2024-108_streamlit-geospatial/ security-advisories@github.com
This website uses the NVD API, but is not approved or certified by it.