Headline
GHSA-mvrm-fh8q-6wr2: Remote Code Execution via path traversal bypass in lollms
CVE-2024-4320 describes a vulnerability in the parisneo/lollms software, specifically within the ExtensionBuilder().build_extension()
function. The vulnerability arises from the /mount_extension
endpoint, where a path traversal issue allows attackers to navigate beyond the intended directory structure. This is facilitated by the data.category
and data.folder
parameters accepting empty strings (""
), which, due to inadequate input sanitization, can lead to the construction of a package_path
that points to the root directory. Consequently, if an attacker can create a config.yaml
file in a controllable path, this path can be appended to the extensions
list and trigger the execution of __init__.py
in the current directory, leading to remote code execution. The vulnerability affects versions from 5.9.0, and has been addressed in version 9.5.1.
Skip to content
Navigation Menu
Actions
Automate any workflow
Packages
Host and manage packages
Security
Find and fix vulnerabilities
Codespaces
Instant dev environments
GitHub Copilot
Write better code with AI
Code review
Manage code changes
Issues
Plan and track work
Discussions
Collaborate outside of code
GitHub Sponsors
Fund open source developers
* The ReadME Project
GitHub community articles
Enterprise platform
AI-powered developer platform
- Pricing
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-5443
Remote Code Execution via path traversal bypass in lollms
Critical severity GitHub Reviewed Published Jun 22, 2024 to the GitHub Advisory Database • Updated Jun 24, 2024
Affected versions
>= 5.9.0, < 9.5.1
Description
CVE-2024-4320 describes a vulnerability in the parisneo/lollms software, specifically within the ExtensionBuilder().build_extension() function. The vulnerability arises from the /mount_extension endpoint, where a path traversal issue allows attackers to navigate beyond the intended directory structure. This is facilitated by the data.category and data.folder parameters accepting empty strings (“”), which, due to inadequate input sanitization, can lead to the construction of a package_path that points to the root directory. Consequently, if an attacker can create a config.yaml file in a controllable path, this path can be appended to the extensions list and trigger the execution of init.py in the current directory, leading to remote code execution. The vulnerability affects versions from 5.9.0, and has been addressed in version 9.5.1.
References
- https://nvd.nist.gov/vuln/detail/CVE-2024-5443
- ParisNeo/lollms@2d0c4e7
- https://huntr.com/bounties/db52848a-4dbe-4110-a981-03739834bf45
Published to the GitHub Advisory Database
Jun 22, 2024
Last updated
Jun 24, 2024