Plattform
python
Komponente
lollms
Behoben in
9.5.1
9.5.1
CVE-2024-6281 describes a path traversal vulnerability discovered in parisneo/lollms, a Python-based large language model interface, affecting versions up to 9.5.0. This flaw allows attackers to manipulate file paths, potentially leading to unauthorized access and modification of critical system files. A patch, version 9.5.1, has been released to address this vulnerability.
The path traversal vulnerability in lollms allows an attacker to bypass intended directory restrictions and access or modify files outside of the intended application directory. By manipulating the discussiondbname parameter, an attacker could potentially overwrite critical system files, execute arbitrary code, or gain persistent access to the system. This could lead to complete system compromise, data exfiltration, or denial of service. The ability to write to arbitrary locations significantly expands the attack surface and increases the potential impact of a successful exploitation.
CVE-2024-6281 was publicly disclosed on 2024-07-20. Currently, there are no known active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been released, but the ease of exploitation due to the path traversal nature suggests a potential for rapid PoC development. The vulnerability is not currently listed on the CISA KEV catalog.
Users running lollms versions prior to 9.5.1, particularly those with lax file access permissions or who are running lollms in environments with limited security controls, are at significant risk. Shared hosting environments where multiple users share the same server and file system are also particularly vulnerable.
• python / server:
import os
import glob
# Check for suspicious files in lollms directories
restricted_dirs = ['/path/to/lollms/data', '/path/to/lollms/config']
for dir in restricted_dirs:
for file in glob.glob(os.path.join(dir, '..*')): # Look for '..' in filenames
print(f'Suspicious file found: {file}')• linux / server:
# Check lollms process for unusual file access
lsof -p $(pgrep lollms) | grep '/../'• generic web:
curl 'http://your-lollms-server/apply_settings?discussion_db_name=../../../../etc/passwd' -s | grep 'etc/passwd'disclosure
Exploit-Status
EPSS
0.08% (24% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-6281 is to immediately upgrade lollms to version 9.5.1 or later. If upgrading is not immediately feasible, consider implementing strict file system permissions to limit write access to the lollms application directory. Additionally, input validation and sanitization should be implemented to prevent the injection of malicious path components. Monitor system logs for unusual file access or modification attempts. After upgrade, confirm the fix by attempting to access a restricted directory via the applysettings function with a crafted discussiondb_name parameter.
Actualice la biblioteca parisneo/lollms a la versión 9.5.1 o superior. Esto corrige la vulnerabilidad de path traversal en la función `apply_settings` al asegurar correctamente el parámetro `discussion_db_name`. La actualización previene que atacantes manipulen la ruta y escriban en carpetas importantes del sistema.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-6281 is a path traversal vulnerability in parisneo/lollms versions up to 9.5.0, allowing attackers to potentially write files to arbitrary locations on the system.
You are affected if you are using parisneo/lollms versions 9.5.0 or earlier. Upgrade to version 9.5.1 to mitigate the risk.
The recommended fix is to upgrade to version 9.5.1 of lollms. As a temporary workaround, restrict file access permissions and validate user inputs.
Currently, there are no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted in the future.
Refer to the parisneo/lollms GitHub repository and associated release notes for the official advisory and patch information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.