Platform
python
Component
lollms
Fixed in
9.5.1
9.5.1
CVE-2024-6281 describes a path traversal vulnerability discovered in parisneo/lollms, a Python-based large language model interface, affecting versions up to 9.5.0. This flaw allows attackers to manipulate file paths, potentially leading to unauthorized access and modification of critical system files. A patch, version 9.5.1, has been released to address this vulnerability.
The path traversal vulnerability in lollms arises from insufficient sanitization of the discussiondbname parameter within the apply_settings function. An attacker can craft malicious input to bypass the intended path restrictions, effectively writing files to arbitrary locations on the system. This could include overwriting configuration files, injecting malicious code, or exfiltrating sensitive data. The potential impact extends beyond the lollms application itself, potentially compromising the entire host system if the attacker gains sufficient privileges. This vulnerability shares similarities with other path traversal exploits where improper input validation allows attackers to navigate outside of intended directories.
CVE-2024-6281 was publicly disclosed on 2024-07-20. Currently, there are no known active campaigns exploiting this vulnerability, but the availability of a public CVE and the relatively simple nature of the exploit suggest a potential for future exploitation. The EPSS score is likely medium, reflecting the ease of exploitation and potential impact. No KEV listing is currently available.
Exploit Status
EPSS
0.08% (24% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-6281 is to immediately upgrade to version 9.5.1 of lollms. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict file access permissions for the lollms user account to the absolute minimum required. Implement strict input validation on the discussiondbname parameter, ensuring it only contains expected characters and does not include path traversal sequences (e.g., ../). Consider using a Web Application Firewall (WAF) to filter out malicious requests. After upgrading, verify the fix by attempting to access a restricted file via the discussiondbname parameter and confirming that access is denied.
Actualice la biblioteca parisneo/lollms a la versión 9.5.1 o superior. Esto corrige la vulnerabilidad de path traversal en la función `apply_settings` al asegurar correctamente el parámetro `discussion_db_name`. La actualización previene que atacantes manipulen la ruta y escriban en carpetas importantes del sistema.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-6281 is a path traversal vulnerability in parisneo/lollms versions up to 9.5.0, allowing attackers to potentially write files to arbitrary locations on the system.
You are affected if you are using parisneo/lollms versions 9.5.0 or earlier. Upgrade to version 9.5.1 to mitigate the risk.
The recommended fix is to upgrade to version 9.5.1 of lollms. As a temporary workaround, restrict file access permissions and validate user inputs.
Currently, there are no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted in the future.
Refer to the parisneo/lollms GitHub repository and associated release notes for the official advisory and patch information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.