.. / CVE-2024-39903

Exploit for Solara <1.35.1 - Local File Inclusion (CVE-2024-39903)

Description:

A Local File Inclusion (LFI) vulnerability was identified in widgetti/solara, in version <1.35.1, which was fixed in version 1.35.1. This vulnerability arises from the application’s failure to properly validate URI fragments for directory traversal sequences such as ‘../’ when serving static files. An attacker can exploit this flaw by manipulating the fragment part of the URI to read arbitrary files on the local file system.

Nuclei Template

View the template here CVE-2024-39903.yaml

Validate with Nuclei

echo "$URL" | nuclei -t ~/nuclei-templates/http/cves/2024/CVE-2024-39903.yaml
Copy

References:

https://github.com/widgetti/solara/security/advisories/GHSA-9794-pc4r-438w
https://nvd.nist.gov/vuln/detail/CVE-2024-39903
https://github.com/widgetti/solara/commit/df2fd66a7f4e8ffd36e8678697a8a4f76760dc54