CVE-2024-41119
📋 TL;DR
CVE-2024-41119 is a critical remote code execution vulnerability in streamlit-geospatial where user-controlled input is passed to the eval() function without proper validation. This allows attackers to execute arbitrary code on affected systems. All users running vulnerable versions of streamlit-geospatial are affected.
💻 Affected Systems
- streamlit-geospatial
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands, steal data, install malware, or pivot to other systems.
Likely Case
Remote code execution leading to data theft, system manipulation, or deployment of ransomware/cryptominers.
If Mitigated
No impact if proper input validation and sanitization are implemented.
🎯 Exploit Status
The vulnerability is straightforward to exploit as it involves passing malicious input to an eval() function.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit c4f81d9616d40c60584e36abb15300853a66e489
Vendor Advisory: https://securitylab.github.com/advisories/GHSL-2024-100_GHSL-2024-108_streamlit-geospatial/
Restart Required: Yes
Instructions:
1. Update to the latest version of streamlit-geospatial. 2. Ensure commit c4f81d9616d40c60584e36abb15300853a66e489 is included. 3. Restart the Streamlit application.
🔧 Temporary Workarounds
Disable vulnerable page
allRemove or disable the Raster Data Visualization page (8_🏜️_Raster_Data_Visualization.py) from the application.
mv pages/8_🏜️_Raster_Data_Visualization.py pages/8_🏜️_Raster_Data_Visualization.py.disabled
Input validation wrapper
allAdd input validation to sanitize the vis_params variable before eval() execution.
# Replace line 86 eval(vis_params) with: import ast; ast.literal_eval(vis_params) if possible, or implement strict validation
🧯 If You Can't Patch
- Implement network segmentation to isolate the vulnerable application from critical systems.
- Deploy a web application firewall (WAF) with rules to block malicious eval() payloads.
🔍 How to Verify
Check if Vulnerable:
Check if your streamlit-geospatial version includes commit c4f81d9616d40c60584e36abb15300853a66e489. Review pages/8_🏜️_Raster_Data_Visualization.py lines 80-86 for eval() usage with user input.Check Version:
git log --oneline | grep c4f81d9616d40c60584e36abb15300853a66e489Verify Fix Applied:
Confirm that eval() is no longer used with unsanitized user input in the patched version. Test that malicious input in vis_params does not execute code.📡 Detection & Monitoring
Log Indicators:
- Unusual Python code execution in Streamlit logs
- Errors from eval() function with unexpected input
- Suspicious process creation from Streamlit
Network Indicators:
- Unexpected outbound connections from Streamlit application
- Traffic patterns indicating command and control
SIEM Query:
source="streamlit.logs" AND "eval" AND ("error" OR "exception")🔗 References
- https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/8_%F0%9F%8F%9C%EF%B8%8F_Raster_Data_Visualization.py#L80
- https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/8_%F0%9F%8F%9C%EF%B8%8F_Raster_Data_Visualization.py#L86
- https://github.com/opengeos/streamlit-geospatial/commit/c4f81d9616d40c60584e36abb15300853a66e489
- https://securitylab.github.com/advisories/GHSL-2024-100_GHSL-2024-108_streamlit-geospatial/
- https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/8_%F0%9F%8F%9C%EF%B8%8F_Raster_Data_Visualization.py#L80
- https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/8_%F0%9F%8F%9C%EF%B8%8F_Raster_Data_Visualization.py#L86
- https://github.com/opengeos/streamlit-geospatial/commit/c4f81d9616d40c60584e36abb15300853a66e489
- https://securitylab.github.com/advisories/GHSL-2024-100_GHSL-2024-108_streamlit-geospatial/
