Plattform
python
Komponente
widgetti/solara
Behoben in
1.35.2
A Local File Inclusion (LFI) vulnerability has been identified in Solara, a Python framework for scaling Jupyter and web apps. This flaw allows attackers to potentially read arbitrary files on the local file system by manipulating URI fragments. The vulnerability affects versions of Solara prior to 1.35.1, with a fix released in version 1.35.1. Prompt patching is recommended to prevent unauthorized file access.
The LFI vulnerability in Solara arises from inadequate validation of URI fragments used for serving static files. An attacker can craft a malicious URI containing directory traversal sequences (e.g., '../') to bypass intended access controls. Successful exploitation could allow an attacker to read sensitive configuration files, source code, or other data stored on the server's file system. The potential impact ranges from information disclosure to, in some cases, remote code execution if the attacker can leverage the read access to modify or execute files.
This vulnerability was publicly disclosed on 2024-07-12. Currently, there are no known active campaigns targeting this specific vulnerability. Public proof-of-concept (POC) code may emerge, increasing the risk of exploitation. The vulnerability is not currently listed on CISA KEV. The CVSS score of 8.6 (HIGH) indicates a significant potential for exploitation.
Organizations deploying Solara for web applications, particularly those serving sensitive data or running in environments with limited security controls, are at risk. Shared hosting environments where users have the ability to influence URI parameters are also particularly vulnerable.
• python / server:
# Check for vulnerable Solara versions
python -c "import solara; print(solara.__version__)"• generic web:
# Check for URI fragment manipulation attempts in access logs
grep -i '..\/' /var/log/apache2/access.logdisclosure
Exploit-Status
EPSS
46.55% (98% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-39903 is to upgrade Solara to version 1.35.1 or later, which includes the necessary fixes for URI fragment validation. If upgrading immediately is not feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing directory traversal sequences in the URI fragment. Additionally, restrict access to static file directories and implement robust input validation to prevent malicious URI manipulation. After upgrading, confirm the fix by attempting to access a file outside the intended static file directory via a crafted URI; access should be denied.
Actualice la biblioteca Solara a la versión 1.35.1 o superior. Esto corregirá la vulnerabilidad de inclusión de archivos locales. Puede actualizar usando `pip install solara --upgrade`.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-39903 is a Local File Inclusion vulnerability in Solara versions 1.35.1 and earlier, allowing attackers to read arbitrary files on the server.
You are affected if you are using Solara versions less than or equal to 1.35.1. Upgrade to 1.35.1 or later to resolve the vulnerability.
Upgrade Solara to version 1.35.1 or later. Consider implementing WAF rules to block malicious URI fragments as a temporary workaround.
Currently, there are no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted.
Refer to the Solara project's official release notes and security advisories on their GitHub repository for the latest information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.