Plattform
python
Komponente
parisneo/lollms-webui
Behoben in
9.5
CVE-2024-3322 describes a path traversal vulnerability discovered in the 'cyber_security/codeguard' personality of the parisneo/lollms-webui project. This vulnerability allows attackers to potentially read arbitrary files on the system. It affects versions of lollms-webui up to and including 9.5. A patch has been released in version 9.5 to address this issue.
The path traversal vulnerability in lollms-webui allows an attacker to bypass intended access restrictions and read files outside of the intended directory. By manipulating the 'codefolderpath' parameter, an attacker can use '../' sequences or absolute paths to navigate the file system. This could lead to the exposure of sensitive configuration files, source code, or other confidential data stored on the server. The potential impact extends to any data accessible by the user account running the lollms-webui process, potentially enabling further compromise of the system.
CVE-2024-3322 was publicly disclosed on 2024-06-06. Currently, there are no reports of active exploitation campaigns targeting this vulnerability. No Proof of Concept (PoC) code has been publicly released. The vulnerability is not listed on the CISA KEV catalog at the time of writing.
Organizations deploying lollms-webui, particularly those utilizing the 'cyber_security/codeguard' personality, are at risk. Shared hosting environments where multiple users share the same server instance are particularly vulnerable, as a compromise of one user's instance could potentially lead to access to other users' data.
• linux / server:
find /opt/lollms-webui -name 'processor.py' -print0 | xargs -0 grep -i 'code_folder_path'• python / supply-chain:
Inspect the processor.py file within the lollms-webui/zoos/personalitieszoo/cybersecurity/codeguard/scripts/ directory for the vulnerable process_folder function and lack of proper input sanitization.
• generic web:
Attempt to access files outside the intended directory using path traversal sequences in the URL (e.g., /zoos/personalitieszoo/cybersecurity/codeguard/../../../../etc/passwd).
disclosure
Exploit-Status
EPSS
0.79% (74% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-3322 is to upgrade lollms-webui to version 9.5 or later, which includes the necessary fix. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious path traversal sequences (e.g., '../'). Additionally, restrict the permissions of the user account running lollms-webui to the minimum necessary to prevent access to sensitive files. Regularly review and audit file system permissions to identify and correct any misconfigurations.
Actualice a una versión posterior a la 9.5. La vulnerabilidad se encuentra en la función 'process_folder' del archivo 'lollms-webui/zoos/personalities_zoo/cyber_security/codeguard/scripts/processor.py'. La actualización corrige la sanitización de la entrada 'code_folder_path' para evitar el recorrido de directorios.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-3322 is a Path Traversal vulnerability in parisneo/lollms-webui versions up to 9.5, allowing attackers to potentially read arbitrary files.
You are affected if you are using lollms-webui versions 9.5 or earlier. Upgrade to version 9.5 to mitigate the risk.
Upgrade lollms-webui to version 9.5 or later. Consider implementing WAF rules to block suspicious path traversal attempts.
As of now, there are no confirmed reports of active exploitation of CVE-2024-3322.
Refer to the parisneo/lollms-webui project's repository and release notes for the official advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.