CVE-2022-35918: 
Python vulnerability analysis and mitigation

Streamlit, a data-oriented application development framework for Python, was found to contain a directory traversal vulnerability (CVE-2022-35918) affecting versions 0.63.0 through 1.11.0. The vulnerability was discovered and disclosed in July 2022, with a patch released on July 27th, 2022 in version 1.11.1. This security issue specifically affects users hosting Streamlit applications that utilize custom components (GitHub Advisory).

The vulnerability is classified as a Path Traversal attack (CWE-22) with a CVSS v3.1 score of 6.5 (Medium severity). The attack vector is network-based, requiring low attack complexity and no privileges, though user interaction is required. The vulnerability allows attackers to craft malicious URLs with specific file paths that the Streamlit server would process and return the contents of files outside the intended directory structure (NVD).

When exploited, the vulnerability could allow attackers to access data from the web server's file system, including server logs, world-readable files, and other potentially sensitive information that should not be accessible through the Streamlit application (Security Online).

The vulnerability was patched in Streamlit version 1.11.1, which ensures that file operations are restricted only to the custom component directory and cannot traverse outside of that scope. Users are strongly recommended to upgrade to v1.11.1 or later. Additional security best practices include reviewing custom components for malicious code before implementation, running web servers with low privileges, and implementing proper firewall configurations (GitHub Advisory).