CVE-2024-4320

A remote code execution (RCE) vulnerability exists in the '/install_extension' endpoint of the parisneo/lollms-webui application, specifically within the `@router.post("/install_extension")` route handler. The vulnerability arises due to improper handling of the `name` parameter in the `ExtensionBuilder().build_extension()` method, which allows for local file inclusion (LFI) leading to arbitrary code execution. An attacker can exploit this vulnerability by crafting a malicious `name` parameter that causes the server to load and execute a `__init__.py` file from an arbitrary location, such as the upload directory for discussions. This vulnerability affects the latest version of parisneo/lollms-webui and can lead to remote code execution without requiring user interaction, especially when the application is exposed to an external endpoint or operated in headless mode.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://huntr.com/bounties/d6564f04-0f59-4686-beb2-11659342279b	Exploit Third Party Advisory
https://huntr.com/bounties/d6564f04-0f59-4686-beb2-11659342279b	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:lollms:lollms_web_ui:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-06-06 19:16

Updated : 2024-11-21 09:42

NVD link : CVE-2024-4320

Mitre link : CVE-2024-4320

CVE.ORG link : CVE-2024-4320

JSON object : View

Products Affected

lollms

lollms_web_ui

CWE

CWE-29

Path Traversal: '\..\filename'

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2024-4320", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "security@huntr.dev", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2024-06-06T19:16:02.453", "references": [{"url": "https://huntr.com/bounties/d6564f04-0f59-4686-beb2-11659342279b", "tags": ["Exploit", "Third Party Advisory"], "source": "security@huntr.dev"}, {"url": "https://huntr.com/bounties/d6564f04-0f59-4686-beb2-11659342279b", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security@huntr.dev", "description": [{"lang": "en", "value": "CWE-29"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "A remote code execution (RCE) vulnerability exists in the '/install_extension' endpoint of the parisneo/lollms-webui application, specifically within the `@router.post(\"/install_extension\")` route handler. The vulnerability arises due to improper handling of the `name` parameter in the `ExtensionBuilder().build_extension()` method, which allows for local file inclusion (LFI) leading to arbitrary code execution. An attacker can exploit this vulnerability by crafting a malicious `name` parameter that causes the server to load and execute a `__init__.py` file from an arbitrary location, such as the upload directory for discussions. This vulnerability affects the latest version of parisneo/lollms-webui and can lead to remote code execution without requiring user interaction, especially when the application is exposed to an external endpoint or operated in headless mode."}, {"lang": "es", "value": "Existe una vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo (RCE) en el endpoint '/install_extension' de la aplicaci\u00f3n parisneo/lollms-webui, espec\u00edficamente dentro del controlador de ruta `@router.post(\"/install_extension\")`. La vulnerabilidad surge debido al manejo inadecuado del par\u00e1metro `name` en el m\u00e9todo `ExtensionBuilder().build_extension()`, que permite la inclusi\u00f3n de archivos locales (LFI) que conducen a la ejecuci\u00f3n de c\u00f3digo arbitrario. Un atacante puede aprovechar esta vulnerabilidad creando un par\u00e1metro \"nombre\" malicioso que hace que el servidor cargue y ejecute un archivo \"__init__.py\" desde una ubicaci\u00f3n arbitraria, como el directorio de carga para discusiones. Esta vulnerabilidad afecta a la \u00faltima versi\u00f3n de parisneo/lollms-webui y puede provocar la ejecuci\u00f3n remota de c\u00f3digo sin requerir la interacci\u00f3n del usuario, especialmente cuando la aplicaci\u00f3n est\u00e1 expuesta a un endpoint externo o se opera en modo sin cabeza."}], "lastModified": "2024-11-21T09:42:37.150", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:lollms:lollms_web_ui:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E0447480-50CE-4682-B3B1-B8F021C5C731"}], "operator": "OR"}]}], "sourceIdentifier": "security@huntr.dev"}