プラットフォーム
python
コンポーネント
parisneo/lollms
修正版
9.8
CVE-2024-4315 represents a critical Local File Inclusion (LFI) vulnerability affecting lollms versions 9.5 and earlier. This flaw allows attackers to potentially read or delete arbitrary files on the system, leading to severe data compromise and system instability. The vulnerability stems from inadequate path sanitization within the sanitizepathfrom_endpoint function, particularly concerning Windows-style paths. Upgrade to version 9.8 to address this security risk.
The impact of CVE-2024-4315 is significant, particularly on Windows systems. An attacker can exploit this LFI vulnerability to read sensitive configuration files, source code, or even system binaries. The ability to delete files could lead to denial-of-service conditions or further compromise the system. The vulnerability's exploitation path through personalities and /del_preset suggests a relatively straightforward attack vector, potentially accessible to less sophisticated attackers. Successful exploitation could grant an attacker complete control over the affected system, allowing for data exfiltration, privilege escalation, and persistent access.
CVE-2024-4315 was publicly disclosed on 2024-06-12. There is no indication of this vulnerability being actively exploited in the wild at this time. No public proof-of-concept (PoC) code has been released, but the vulnerability's nature suggests that a PoC could be developed relatively easily. The vulnerability is not currently listed on the CISA KEV catalog.
Organizations running lollms version 9.5 or earlier, particularly those deploying the application on Windows servers, are at significant risk. Shared hosting environments where multiple users share the same lollms instance are also vulnerable, as an attacker could potentially exploit the vulnerability to access files belonging to other users.
• windows / supply-chain:
Get-ChildItem -Path "C:\path\to\lollms\personalities*" -Recurse -ErrorAction SilentlyContinue | Where-Object {$_.FullName -match '\\'} # Check for suspicious path patterns• linux / server:
find /opt/lollms/personalities -type f -print0 | xargs -0 grep -i '\\'• generic web:
curl -I http://your-lollms-server/personalities/../../../../etc/passwd # Attempt directory traversaldisclosure
エクスプロイト状況
EPSS
0.90% (76% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2024-4315 is to upgrade lollms to version 9.8 or later, which includes the necessary path sanitization fixes. If an immediate upgrade is not feasible, consider implementing stricter file access controls and limiting the permissions of the lollms user account. Monitor the personalities and /del_preset endpoints for suspicious activity. While a WAF might offer some protection, it's unlikely to be effective against this type of LFI vulnerability without specific rules tailored to the application's logic. After upgrading, verify the fix by attempting to access files outside the intended directories via the vulnerable endpoints to confirm that directory traversal is prevented.
parisneo/lollmsライブラリをバージョン9.8以降にアップデートしてください。このバージョンには、パスサニタイズが不十分なことによって引き起こされるローカルファイルインクルージョン (LFI) 脆弱性に対する修正が含まれています。アップデートすることで、Windowsシステム上でのディレクトリトラバーサル攻撃を防ぐことができます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2024-4315 is a critical Local File Inclusion (LFI) vulnerability in lollms versions up to 9.8, allowing attackers to read or delete files on Windows systems.
You are affected if you are running lollms version 9.5 or earlier. Upgrade to version 9.8 to mitigate the risk.
Upgrade lollms to version 9.8 or later. Implement stricter file access controls as a temporary workaround.
There is currently no evidence of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the lollms project's official repository or website for the latest security advisories and updates.
requirements.txt ファイルをアップロードすると、影響の有無を即座にお知らせします。