CVE-2024-2361 CRITICAL

CVE-2024-2361: Arbitrary Upload & Read via Path Traversal in parisneo/lollms-webui

Vendor Parisneo
Product parisneo/lollms-webui
Weakness CWE-29
Published May 16, 2024
Last update August 1, 2024

CVSS base score

9.6/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

A vulnerability in the parisneo/lollms-webui allows for arbitrary file upload and read due to insufficient sanitization of user-supplied input. Specifically, the issue resides in the `install_model()` function within `lollms_core/lollms/binding.py`, where the application fails to properly sanitize the `file://` protocol and other inputs, leading to arbitrary read and upload capabilities. Attackers can exploit this vulnerability by manipulating the `path` and `variant_name` parameters to achieve path traversal, allowing for the reading of arbitrary files and uploading files to arbitrary locations on the server. This vulnerability affects the latest version of parisneo/lollms-webui.

Key dates

02Disclosure timeline

May 16, 2024 CVE published
August 1, 2024 Record updated