CVE-2024-39903
published 2024-07-12CVE-2024-39903: Solara is a pure Python, React-style framework for scaling Jupyter and web apps. A Local File Inclusion (LFI) vulnerability was identified in widgetti/solara…
PriorityP356high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
2.88%
85.1th percentile
Solara is a pure Python, React-style framework for scaling Jupyter and web apps. A Local File Inclusion (LFI) vulnerability was identified in widgetti/solara, in version <1.35.1, which was fixed in version 1.35.1. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../' when serving static files. An attacker can exploit this flaw by manipulating the fragment part of the URI to read arbitrary files on the local file system.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| widgetti | solara | < 1.35.1 | 1.35.1 |
| widgetti | solara | >= 0 < 1.35.1 | 1.35.1 |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
regex: root:.*:0:0: in HTTP response body with content-type text/plain and HTTP 200 status
- →Exploit request uses the URI fragment (hash) portion to smuggle directory traversal sequences (e.g., /../../../) when requesting files under /static/nbextensions/. Monitor HTTP GET requests to this path where the fragment contains '../' sequences. ↗
- →A successful exploitation returns HTTP 200 with Content-Type: text/plain and a body matching the pattern 'root:.*:0:0:' (i.e., /etc/passwd contents). Alert on such responses from the /static/nbextensions/ endpoint. ↗
- →Nuclei template targets Solara instances identifiable via FOFA icon hash -223126228. Use this fingerprint to identify exposed Solara instances for prioritised patching or scanning. ↗
- ·The LFI is triggered via the URI fragment (#) component, which is typically not forwarded by standard HTTP proxies or logged by default web server access logs. Detection tooling must be capable of capturing raw/unsafe HTTP requests that include fragment data to observe this attack vector. ↗
- ·The Nuclei template uses 'unsafe: true' mode, meaning the raw request (including the fragment) is sent as-is without standard HTTP client normalisation. Standard HTTP clients may strip or ignore the fragment before sending, so detection/reproduction requires a raw HTTP request tool. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
ghsa7.5HIGH
osv7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Local File Inclusion in Solara
ghsa·2024-07-12·CVSS 7.5
CVE-2024-39903 [HIGH] CWE-22 Local File Inclusion in Solara
Local File Inclusion in Solara
A Local File Inclusion (LFI) vulnerability was identified in widgetti/solara, in version <1.35.1, which was fixed in version 1.35.1. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../' when serving static files. An attacker can exploit this flaw by manipulating the fragment part of the URI to read arbitrary files on the local file system.
### References
- https://github.com/widgetti/solara/security/advisories/GHSA-9794-pc4r-438w
- https://github.com/widgetti/solara/commit/df2fd66a7f4e8ffd36e8678697a8a4f76760dc54
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39903
OSV
Local File Inclusion in Solara
osv·2024-07-12·CVSS 7.5
CVE-2024-39903 [HIGH] Local File Inclusion in Solara
Local File Inclusion in Solara
A Local File Inclusion (LFI) vulnerability was identified in widgetti/solara, in version <1.35.1, which was fixed in version 1.35.1. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../' when serving static files. An attacker can exploit this flaw by manipulating the fragment part of the URI to read arbitrary files on the local file system.
### References
- https://github.com/widgetti/solara/security/advisories/GHSA-9794-pc4r-438w
- https://github.com/widgetti/solara/commit/df2fd66a7f4e8ffd36e8678697a8a4f76760dc54
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39903
No detection rules found.
Nuclei
Solara <1.35.1 - Local File Inclusion
nuclei·CVSS 7.5
CVE-2024-39903 [HIGH] Solara <1.35.1 - Local File Inclusion
Solara <1.35.1 - Local File Inclusion
A Local File Inclusion (LFI) vulnerability was identified in widgetti/solara, in version <1.35.1, which was fixed in version 1.35.1. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../' when serving static files. An attacker can exploit this flaw by manipulating the fragment part of the URI to read arbitrary files on the local file system.
Template:
id: CVE-2024-39903
info:
name: Solara <1.35.1 - Local File Inclusion
author: iamnoooob,rootxharsh,pdresearch
severity: high
description: |
A Local File Inclusion (LFI) vulnerability was identified in widgetti/solara, in version <1.35.1, which was fixed in version 1.35.1. This vulnerability arises from the application'
https://github.com/widgetti/solara/commit/df2fd66a7f4e8ffd36e8678697a8a4f76760dc54https://github.com/widgetti/solara/security/advisories/GHSA-9794-pc4r-438whttps://github.com/widgetti/solara/commit/df2fd66a7f4e8ffd36e8678697a8a4f76760dc54https://github.com/widgetti/solara/security/advisories/GHSA-9794-pc4r-438w
2024-07-12
Published