Skip to content

Update dependency streamlit to v1.37.0 [SECURITY]#75

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/pypi-streamlit-vulnerability
Open

Update dependency streamlit to v1.37.0 [SECURITY]#75
renovate[bot] wants to merge 1 commit intomainfrom
renovate/pypi-streamlit-vulnerability

Conversation

@renovate
Copy link

@renovate renovate bot commented Jan 13, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
streamlit (source, changelog) ==1.22.0 -> ==1.37.0 age adoption passing confidence

GitHub Vulnerability Alerts

GHSA-8qw9-gf7w-42x5

Impact

The initial vulnerability identified in Streamlit apps using custom components, allowing for directory traversal attacks, was addressed in version 1.11.1. However, a minor issue persisted, which could still potentially expose certain files on the server file-system under specific conditions.

Patches

We released an update in version 1.30.0 to further tighten security measures. Users are strongly advised to update to version 1.30.0 immediately for optimal security.

Workarounds

No additional workarounds are necessary once the update to version 1.30.0 is applied.

For more information

If you have any questions or comments about this advisory:

CVE-2024-42474

1. Impacted Products

Streamilt Open Source versions before 1.37.0.

2. Introduction

Snowflake Streamlit open source addressed a security vulnerability via the static file sharing feature. The vulnerability was patched on Jul 25, 2024, as part of Streamlit open source version 1.37.0. The vulnerability only affects Windows.

3. Path Traversal Vulnerability

3.1 Description

On May 12, 2024, Streamlit was informed via our bug bounty program about a path traversal vulnerability in the open source library. We fixed and merged a patch remediating the vulnerability on Jul 25, 2024. The issue was determined to be in the moderate severity range with a maximum CVSSv3 base score of 5.9

3.2 Scenarios and attack vector(s)

Users of hosted Streamlit app(s) on Windows were vulnerable to a path traversal vulnerability when the static file sharing feature is enabled. An attacker could utilize the vulnerability to leak the password hash of the Windows user running Streamlit.

3.3 Resolution

The vulnerability has been fixed in all Streamlit versions released since Jul 25, 2024. We recommend all users upgrade to Version 1.37.0.

4. Contact

Please contact security@snowflake.com if you have any questions regarding this advisory. If you discover a security vulnerability in one of our products or websites, please report the issue to HackerOne. For more information, please see our Vulnerability Disclosure Policy.


Release Notes

streamlit/streamlit (streamlit)

v1.37.0

Compare Source

What's Changed

New Features 🎉
Bug Fixes 🐛
Other Changes

New Contributors

Full Changelog: streamlit/streamlit@1.36.0...1.37.0

v1.36.0

Compare Source

What's Changed

Breaking Changes 🛠
New Features 🎉
Bug Fixes 🐛
Other Changes

New Contributors

Full Changelog: streamlit/streamlit@1.35.0...1.36.0

v1.35.0

Compare Source

What's Changed

New Features 🎉
Bug Fixes 🐛
Other Changes

New Contributors

Full Changelog: streamlit/streamlit@1.34.0...1.35.0

v1.34.0

Compare Source

What's Changed

New Features 🎉
Bug Fixes 🐛
Other Changes

New Contributors

Full Changelog: streamlit/streamlit@1.33.0...1.34.0

v1.33.0

Compare Source

What's Changed

Breaking Changes 🛠
New Features 🎉
Bug Fixes 🐛
Other Changes

New Contributors

Full Changelog: streamlit/streamlit@1.32.2...1.33.0

v1.32.2

Compare Source

Full Changelog: streamlit/streamlit@1.32.1...1.32.2

v1.32.1

Compare Source

Full Changelog: streamlit/streamlit@1.32.0...1.32.1

v1.32.0

Compare Source

What's Changed

New Features 🎉
Bug Fixes 🐛
Other Changes

New Contributors

Full Changelog: streamlit/streamlit@1.31.1...1.32.0

v1.31.1

Compare Source

Full Changelog: streamlit/streamlit@1.31.0...1.31.1

v1.31.0

Compare Source

What's Changed

New Features 🎉
Bug Fixes 🐛
Other Changes

New Contributors

Full Changelog: streamlit/streamlit@1.30.0...1.31.0

v1.30.0

Compare Source

What's Changed

New Features 🎉
Bug Fixes 🐛
Other Changes
  • Fix parenthesis error messaging by [@​willhuang1997

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@cr-gpt
Copy link

cr-gpt bot commented Jan 13, 2024

Seems you are using me but didn't get OPENAI_API_KEY seted in Variables/Secrets for this repo. you could follow readme for more information

@renovate renovate bot force-pushed the renovate/pypi-streamlit-vulnerability branch from 9c5af32 to af2cada Compare August 13, 2024 02:35
@cr-gpt
Copy link

cr-gpt bot commented Aug 13, 2024

Seems you are using me but didn't get OPENAI_API_KEY seted in Variables/Secrets for this repo. you could follow readme for more information

@renovate renovate bot changed the title Update dependency streamlit to v1.30.0 [SECURITY] Update dependency streamlit to v1.37.0 [SECURITY] Aug 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants