CVE-2024-32005: 
Python vulnerability analysis and mitigation

NiceGUI, a Python-based UI framework, was found to contain a local file inclusion vulnerability (CVE-2024-32005) in its leaflet component. The vulnerability was discovered and disclosed on April 12, 2024, affecting versions up to 1.4.20 (from 1.4.6). The vulnerability exists in the route /_nicegui/{__version__}/resources/{key}/{path:path} which could allow attackers to access unauthorized files on the backend filesystem (GitHub Advisory).

The vulnerability is classified as a path traversal issue (CWE-23 and CWE-22) that allows unauthorized access to files through the NiceUI leaflet component. The severity is rated as HIGH with a CVSS v3.1 base score of 8.2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L). The vulnerability enables attackers to read any file that the web server has access to through the affected route (GitHub Advisory).

The vulnerability allows unauthorized access to any file on the backend filesystem that the web server has access to, potentially exposing sensitive information. This represents a significant confidentiality breach as indicated by the CVSS metrics showing High impact on confidentiality and Low impact on availability (GitHub Advisory).

The vulnerability has been patched in version 1.4.21 with an additional check of the requested file path. Users are strongly advised to upgrade to this version. There are no known workarounds for this vulnerability other than upgrading to the patched version (GitHub Advisory).