プラットフォーム
python
コンポーネント
parisneo/lollms-webui
修正版
v9.3
CVE-2024-1873 describes a Path Traversal vulnerability discovered in the lollms-webui project, specifically within its /select_database endpoint. This flaw allows attackers to manipulate file paths, potentially leading to denial of service by creating directories that interfere with critical system files. The vulnerability affects versions of lollms-webui up to and including v9.3, and a fix is available in version v9.3.
The primary impact of CVE-2024-1873 is denial of service. An attacker can exploit this vulnerability by crafting malicious requests to the /select_database endpoint, providing absolute file paths. This allows them to create directories anywhere on the system where the lollms-webui application has write permissions. A particularly concerning scenario involves creating directories with names identical to critical system files, such as those used for HTTPS certificates. This can prevent the server from starting correctly, effectively rendering the system unavailable. While the vulnerability description does not explicitly mention data exfiltration, the ability to write arbitrary files could potentially be leveraged for other malicious purposes depending on the application's permissions and configuration.
CVE-2024-1873 was publicly disclosed on 2024-06-06. There is currently no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been released at the time of this writing, but the vulnerability's nature makes it relatively straightforward to exploit. It is not currently listed on the CISA KEV catalog.
Organizations deploying lollms-webui in production environments, particularly those with lax file permission configurations or those running vulnerable versions (≤v9.3) are at risk. Shared hosting environments where multiple users share the same server instance are also particularly vulnerable, as an attacker could potentially exploit this vulnerability to impact other users on the same server.
• python / lollms-webui:
# Check for the vulnerable endpoint
curl -I http://<lollms-webui-ip>/select_database• python / lollms-webui:
# Monitor for suspicious file creation attempts in lollms-webui logs
grep -i "/select_database" /var/log/lollms-webui.log• generic web:
# Check for directory listing exposure
curl -I http://<lollms-webui-ip>/directory_listingdisclosure
エクスプロイト状況
EPSS
2.42% (85% パーセンタイル)
CISA SSVC
CVSS ベクトル
The recommended mitigation for CVE-2024-1873 is to immediately upgrade lollms-webui to version v9.3 or later, which contains the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the /selectdatabase endpoint that contain suspicious characters or absolute file paths. Additionally, review the application's file permissions to ensure that the lollms-webui process has only the minimum necessary access to the file system. After upgrading, confirm the fix by attempting to access the /selectdatabase endpoint with a crafted path traversal payload (e.g., /../etc/passwd) and verifying that the request is rejected.
Actualice la biblioteca parisneo/lollms-webui a la versión 9.3 o superior. Esto corrige la vulnerabilidad de path traversal y denegación de servicio. Puede actualizar usando el gestor de paquetes de Python, pip, ejecutando `pip install --upgrade lollms-webui`.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2024-1873 is a Path Traversal vulnerability in lollms-webui versions up to v9.3, allowing attackers to manipulate file paths and potentially cause denial of service.
You are affected if you are running lollms-webui version 9.3 or earlier. Upgrade to v9.3 to mitigate the risk.
Upgrade lollms-webui to version 9.3 or later. As a temporary workaround, implement a WAF rule to block suspicious requests to the /select_database endpoint.
There is currently no evidence of active exploitation, but the vulnerability is relatively easy to exploit.
Refer to the lollms-webui project's repository and release notes for the official advisory and update information.
requirements.txt ファイルをアップロードすると、影響の有無を即座にお知らせします。