CVE-2024-3322

A path traversal vulnerability exists in the 'cyber_security/codeguard' native personality of the parisneo/lollms-webui, affecting versions up to 9.5. The vulnerability arises from the improper limitation of a pathname to a restricted directory in the 'process_folder' function within 'lollms-webui/zoos/personalities_zoo/cyber_security/codeguard/scripts/processor.py'. Specifically, the function fails to properly sanitize user-supplied input for the 'code_folder_path', allowing an attacker to specify arbitrary paths using '../' or absolute paths. This flaw leads to arbitrary file read and overwrite capabilities in specified directories without limitations, posing a significant risk of sensitive information disclosure and unauthorized file manipulation.
Configurations

Configuration 1 (hide)

cpe:2.3:a:lollms:lollms_web_ui:*:*:*:*:*:*:*:*

History

17 Oct 2024, 20:20

Type Values Removed Values Added
CPE cpe:2.3:a:lollms:lollms_web_ui:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : 8.4
v2 : unknown
v3 : 9.8
First Time Lollms lollms Web Ui
Lollms
References () https://github.com/parisneo/lollms-webui/commit/1e17df01e01d4d33599db2afaafe91d90b6f0189 - () https://github.com/parisneo/lollms-webui/commit/1e17df01e01d4d33599db2afaafe91d90b6f0189 - Patch
References () https://huntr.com/bounties/e0822362-033a-4a71-b1dc-d803f03bd427 - () https://huntr.com/bounties/e0822362-033a-4a71-b1dc-d803f03bd427 - Exploit, Third Party Advisory

07 Jun 2024, 14:56

Type Values Removed Values Added
Summary
  • (es) Existe una vulnerabilidad de path traversal en la personalidad nativa 'cyber_security/codeguard' de parisneo/lollms-webui, que afecta a las versiones hasta la 9.5. La vulnerabilidad surge de la limitación inadecuada de un nombre de ruta a un directorio restringido en la función 'process_folder' dentro de 'lollms-webui/zoos/personalities_zoo/cyber_security/codeguard/scripts/processor.py'. Específicamente, la función no sanitiza adecuadamente la entrada proporcionada por el usuario para 'code_folder_path', lo que permite a un atacante especificar rutas arbitrarias usando '../' o rutas absolutas. Esta falla genera capacidades arbitrarias de lectura y sobrescritura de archivos en directorios específicos sin limitaciones, lo que plantea un riesgo significativo de divulgación de información confidencial y manipulación no autorizada de archivos.

06 Jun 2024, 19:16

Type Values Removed Values Added
New CVE

Information

Published : 2024-06-06 19:16

Updated : 2024-10-17 20:20


NVD link : CVE-2024-3322

Mitre link : CVE-2024-3322

CVE.ORG link : CVE-2024-3322


JSON object : View

Products Affected

lollms

  • lollms_web_ui
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')