CVE-2024-41120 Information
Description
streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489 the url variable on line 63 of pages/9_??_Vector_Data_Visualization.py takes user input which is later passed to the gpd.read_file method. gpd.read_file method creates a request to arbitrary destinations leading to blind server-side request forgery. Commit c4f81d9616d40c60584e36abb15300853a66e489 fixes this issue.
Reference
https://securitylab.github.com/advisories/GHSL-2024-100_GHSL-2024-108_streamlit-geospatial/
https://github.com/opengeos/streamlit-geospatial/commit/c4f81d9616d40c60584e36abb15300853a66e489
https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/9_%F0%9F%94%B2_Vector_Data_Visualization.py#L63
https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/9_%F0%9F%94%B2_Vector_Data_Visualization.py#L87
streamlit-geospatial
is
a
streamlit
multipage
app
for
geospatial
applications.
Prior
to
commit
c4f81d9616d40c60584e36abb15300853a66e489
the
url
variable
on
line
63
of
pages/9_??_Vector_Data_Visualization.py
takes
user
input
which
is
later
passed
to
the
gpd.read_file
method.
gpd.read_file
method
creates
a
request
to
arbitrary
destinations
leading
to
blind
server-side
request
forgery.
Commit
c4f81d9616d40c60584e36abb15300853a66e489
fixes
this
issue.