cbcvebase.
CVE-2024-39903
published 2024-07-12

CVE-2024-39903: Solara is a pure Python, React-style framework for scaling Jupyter and web apps. A Local File Inclusion (LFI) vulnerability was identified in widgetti/solara…

PriorityP356high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
2.88%
85.1th percentile
Solara is a pure Python, React-style framework for scaling Jupyter and web apps. A Local File Inclusion (LFI) vulnerability was identified in widgetti/solara, in version <1.35.1, which was fixed in version 1.35.1. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../' when serving static files. An attacker can exploit this flaw by manipulating the fragment part of the URI to read arbitrary files on the local file system.

Affected

2 ranges
VendorProductVersion rangeFixed in
widgettisolara< 1.35.11.35.1
widgettisolara>= 0 < 1.35.11.35.1

Detection & IOCsextracted from sources · hover to see the quote

url/static/nbextensions/#/../../../../../../../../../../etc/passwd
path/static/nbextensions/
yara
regex: root:.*:0:0: in HTTP response body with content-type text/plain and HTTP 200 status
  • Exploit request uses the URI fragment (hash) portion to smuggle directory traversal sequences (e.g., /../../../) when requesting files under /static/nbextensions/. Monitor HTTP GET requests to this path where the fragment contains '../' sequences.
  • A successful exploitation returns HTTP 200 with Content-Type: text/plain and a body matching the pattern 'root:.*:0:0:' (i.e., /etc/passwd contents). Alert on such responses from the /static/nbextensions/ endpoint.
  • Nuclei template targets Solara instances identifiable via FOFA icon hash -223126228. Use this fingerprint to identify exposed Solara instances for prioritised patching or scanning.
  • ·The LFI is triggered via the URI fragment (#) component, which is typically not forwarded by standard HTTP proxies or logged by default web server access logs. Detection tooling must be capable of capturing raw/unsafe HTTP requests that include fragment data to observe this attack vector.
  • ·The Nuclei template uses 'unsafe: true' mode, meaning the raw request (including the fragment) is sent as-is without standard HTTP client normalisation. Standard HTTP clients may strip or ignore the fragment before sending, so detection/reproduction requires a raw HTTP request tool.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
ghsa7.5HIGH
osv7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.