Path Traversal Vulnerability in Parisneo/Lollms Allows Remote Code Execution
CVE-2024-5443

9.8CRITICAL

Key Information:

Vendor: Parisneo
Status: Parisneo/lollms
Vendor: CVE Published:; 22 June 2024

Summary

A security vulnerability exists in the parisneo/lollms software, specifically in the ExtensionBuilder().build_extension() function, where improper input sanitization at the /mount_extension endpoint allows for path traversal. This vulnerability is triggered when the data.category and data.folder parameters are accepted as empty strings, enabling attackers to navigate outside of the intended directory structure. If an attacker can manipulate the environment to create a config.yaml file at a controllable path, they can exploit this to append it to the extensions list, leading to the execution of arbitrary code through __init__.py in the current directory. This vulnerability affects versions up to 5.9.0 and has been addressed in version 9.8.

Affected Version(s)

parisneo/lollms < 9.8

References

https://huntr.com/bounties/db52848a-4dbe-4110-a981-037398...

https://github.com/parisneo/lollms/commit/2d0c4e76be93195...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 22, 2024
Vulnerability Reserved
May 28, 2024