Platform
python
Component
streamlit-geospatial
Fixed in
4.0.1
CVE-2024-41118 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the streamlit-geospatial Python library, a Streamlit application for geospatial data visualization. This flaw allows an attacker to craft malicious URLs that trigger the application to make requests to arbitrary internal or external destinations, potentially exposing sensitive data or facilitating unauthorized access. The vulnerability affects versions of streamlit-geospatial prior to commit c4f81d9616d40c60584e36abb15300853a66e489, and a fix has been released.
The SSRF vulnerability in streamlit-geospatial arises from the improper handling of user-supplied URLs within the pages/7📦WebMapService.py file. Specifically, the url variable, derived directly from user input, is passed to the getwmslayer method without adequate validation. This allows an attacker to manipulate the URL to point to internal services or external resources that the application should not be accessing. A successful exploitation could lead to the exposure of sensitive internal data, such as configuration files or database credentials, if the application interacts with internal services. Furthermore, an attacker could potentially use the SSRF vulnerability to scan internal networks or launch attacks against other systems within the organization’s infrastructure. The blind nature of the SSRF means the attacker doesn't directly see the response, but can infer information based on the application's behavior.
This vulnerability was publicly disclosed on 2024-07-26. No known public exploits or active campaigns targeting this specific vulnerability have been reported at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Given the SSRF nature and the lack of immediate exploitation, the probability of exploitation is considered low to medium, but vigilance is still advised, particularly in environments with sensitive internal services.
Exploit Status
EPSS
0.21% (44% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-41118 is to upgrade to version c4f81d9616d40c60584e36abb15300853a66e489 or later. This version includes a fix that properly validates user-supplied URLs, preventing the SSRF vulnerability. If upgrading immediately is not feasible, consider implementing a Web Application Firewall (WAF) or proxy to filter outbound requests and block those targeting internal or unauthorized external resources. Restrict network access for the Streamlit application to only the necessary external services. Implement strict input validation on all user-supplied URLs to ensure they conform to expected formats and destinations. Regularly review and update the streamlit-geospatial library to benefit from the latest security patches.
Update the streamlit-geospatial library to version c4f81d9616d40c60584e36abb15300853a66e489 or later. This corrects the blind server-side request forgery (SSRF) vulnerability in the Web Map Service component. You can update the library using the pip package manager: `pip install streamlit-geospatial==c4f81d9616d40c60584e36abb15300853a66e489`.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-41118 is a Server-Side Request Forgery (SSRF) vulnerability in the streamlit-geospatial library, allowing attackers to make requests to arbitrary destinations.
You are affected if you are using a version of streamlit-geospatial prior to c4f81d9616d40c60584e36abb15300853a66e489.
Upgrade to version c4f81d9616d40c60584e36abb15300853a66e489 or later. Consider WAF rules as a temporary mitigation.
No active exploitation has been confirmed at this time, but vigilance is advised.
Refer to the project's repository and related security announcements for the latest information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.