Platform
python
Component
widgetti/solara
Fixed in
1.35.2
A Local File Inclusion (LFI) vulnerability has been identified in Solara, a Python framework for scaling Jupyter and web apps. This flaw allows attackers to potentially read arbitrary files on the local file system by manipulating URI fragments. The vulnerability affects versions of Solara prior to 1.35.1, with a fix released in version 1.35.1. Prompt patching is recommended to prevent unauthorized file access.
The LFI vulnerability in Solara arises from inadequate validation of URI fragments used for serving static files. An attacker can craft a malicious URI containing directory traversal sequences (e.g., '../') to bypass intended access controls. Successful exploitation could allow an attacker to read sensitive configuration files, source code, or other data stored on the server's file system. The potential impact ranges from information disclosure to, in some cases, remote code execution if the attacker can leverage the read access to modify or execute files.
This vulnerability was publicly disclosed on 2024-07-12. Currently, there are no known active campaigns targeting this specific vulnerability. Public proof-of-concept (POC) code may emerge, increasing the risk of exploitation. The vulnerability is not currently listed on CISA KEV. The CVSS score of 8.6 (HIGH) indicates a significant potential for exploitation.
Exploit Status
EPSS
46.55% (98% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-39903 is to upgrade Solara to version 1.35.1 or later, which includes the necessary fixes for URI fragment validation. If upgrading immediately is not feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing directory traversal sequences in the URI fragment. Additionally, restrict access to static file directories and implement robust input validation to prevent malicious URI manipulation. After upgrading, confirm the fix by attempting to access a file outside the intended static file directory via a crafted URI; access should be denied.
Actualice la biblioteca Solara a la versión 1.35.1 o superior. Esto corregirá la vulnerabilidad de inclusión de archivos locales. Puede actualizar usando `pip install solara --upgrade`.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-39903 is a Local File Inclusion vulnerability in Solara versions 1.35.1 and earlier, allowing attackers to read arbitrary files on the server.
You are affected if you are using Solara versions less than or equal to 1.35.1. Upgrade to 1.35.1 or later to resolve the vulnerability.
Upgrade Solara to version 1.35.1 or later. Consider implementing WAF rules to block malicious URI fragments as a temporary workaround.
Currently, there are no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted.
Refer to the Solara project's official release notes and security advisories on their GitHub repository for the latest information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.