CVE-2024-4078

A vulnerability in the parisneo/lollms, specifically in the `/unInstall_binding` endpoint, allows for arbitrary code execution due to insufficient sanitization of user input. The issue arises from the lack of path sanitization when handling the `name` parameter in the `unInstall_binding` function, allowing an attacker to traverse directories and execute arbitrary code by loading a malicious `__init__.py` file. This vulnerability affects the latest version of the software. The exploitation of this vulnerability could lead to remote code execution on the system where parisneo/lollms is deployed.
Configurations

No configuration.

History

21 Nov 2024, 09:42

Type Values Removed Values Added
References () https://github.com/parisneo/lollms/commit/7ebe08da7e0026b155af4f7be1d6417bc64cf02f - () https://github.com/parisneo/lollms/commit/7ebe08da7e0026b155af4f7be1d6417bc64cf02f -
References () https://huntr.com/bounties/a55a8c04-df44-49b2-bcfa-2a2b728a299d - () https://huntr.com/bounties/a55a8c04-df44-49b2-bcfa-2a2b728a299d -
Summary
  • (es) Una vulnerabilidad en parisneo/lollms, específicamente en el endpoint `/unInstall_binding`, permite la ejecución de código arbitrario debido a una sanitización insuficiente de la entrada del usuario. El problema surge de la falta de sanitización de rutas al manejar el parámetro `name` en la función `unInstall_binding`, lo que permite a un atacante atravesar directorios y ejecutar código arbitrario cargando un archivo `__init__.py` malicioso. Esta vulnerabilidad afecta a la última versión del software. La explotación de esta vulnerabilidad podría conducir a la ejecución remota de código en el sistema donde está implementado parisneo/lollms.

16 May 2024, 09:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-05-16 09:15

Updated : 2024-11-21 09:42


NVD link : CVE-2024-4078

Mitre link : CVE-2024-4078

CVE.ORG link : CVE-2024-4078


JSON object : View

Products Affected

No product.

CWE
CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')