Home > Vulnerability Database > CVE-2024-32005

Mend.io Vulnerability Database

CVE-2024-32005

Good to know:

Date: April 12, 2024

NiceGUI is an easy-to-use, Python-based UI framework. A local file inclusion is present in the NiceUI leaflet component when requesting resource files under the `/_nicegui/{__version__}/resources/{key}/{path:path}` route. As a result any file on the backend filesystem which the web server has access to can be read by an attacker with access to the NiceUI leaflet website. This vulnerability has been addressed in version 1.4.21. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Language: Python

Severity Score

8.2

Related Resources (5)

Url: https://github.com/zauberzeug/nicegui/commit/ed12eb14f2a6c48b388a05c04b3c5a107ea9d330

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-32005

Url: https://huntr.com/bounties/29ec621a-bd69-4225-ab0f-5bb8a1d10c67

Url: https://github.com/zauberzeug/nicegui/security/advisories/GHSA-mwc7-64wg-pgvj

Url: https://www.mend.io/vulnerability-database/CVE-2024-32005

Severity Score

8.2

Weakness Type (CWE)

Path Traversal

CWE-22

Relative Path Traversal

CWE-23

Top Fix

Upgrade Version

Upgrade to version nicegui - 1.4.21

Learn More

CVSS v3.1

Base Score:	8.2
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2024-32005

Good to know:

Date: April 12, 2024

Language: Python

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?