Platform
python
Component
parisneo/lollms-webui
Fixed in
9.5
CVE-2024-3322 describes a path traversal vulnerability discovered in the 'cyber_security/codeguard' personality of the parisneo/lollms-webui project. This vulnerability allows attackers to potentially read arbitrary files on the system. It affects versions of lollms-webui up to and including 9.5. A patch has been released in version 9.5 to address this issue.
The path traversal vulnerability in lollms-webui allows an attacker to bypass intended access restrictions and read files outside of the intended directory. By manipulating the 'codefolderpath' parameter, an attacker can use '../' sequences or absolute paths to navigate the file system. This could lead to the exposure of sensitive configuration files, source code, or other confidential data stored on the server. The potential impact extends to any data accessible by the user account running the lollms-webui process, potentially enabling further compromise of the system.
CVE-2024-3322 was publicly disclosed on 2024-06-06. Currently, there are no reports of active exploitation campaigns targeting this vulnerability. No Proof of Concept (PoC) code has been publicly released. The vulnerability is not listed on the CISA KEV catalog at the time of writing.
Exploit Status
EPSS
0.79% (74% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-3322 is to upgrade lollms-webui to version 9.5 or later, which includes the necessary fix. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious path traversal sequences (e.g., '../'). Additionally, restrict the permissions of the user account running lollms-webui to the minimum necessary to prevent access to sensitive files. Regularly review and audit file system permissions to identify and correct any misconfigurations.
Update to a version later than 9.5. The vulnerability is located in the 'process_folder' function of the 'lollms-webui/zoos/personalities_zoo/cyber_security/codeguard/scripts/processor.py' file. The update corrects the sanitization of the 'code_folder_path' input to prevent path traversal.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-3322 is a Path Traversal vulnerability in parisneo/lollms-webui versions up to 9.5, allowing attackers to potentially read arbitrary files.
You are affected if you are using lollms-webui versions 9.5 or earlier. Upgrade to version 9.5 to mitigate the risk.
Upgrade lollms-webui to version 9.5 or later. Consider implementing WAF rules to block suspicious path traversal attempts.
As of now, there are no confirmed reports of active exploitation of CVE-2024-3322.
Refer to the parisneo/lollms-webui project's repository and release notes for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.