Plataforma
python
Componente
parisneo/lollms-webui
CVE-2024-4320 represents a critical Remote Code Execution (RCE) vulnerability discovered in the /install_extension endpoint of the parisneo/lollms-webui application. This flaw stems from inadequate input validation, enabling attackers to leverage Local File Inclusion (LFI) to execute arbitrary code on the server. All versions of lollms-webui are currently considered affected, and immediate action is recommended to mitigate the risk.
The impact of CVE-2024-4320 is severe. An attacker can exploit this vulnerability to execute arbitrary code within the context of the lollms-webui application, potentially gaining full control of the underlying server. This could lead to data breaches, system compromise, and further malicious activity. The ability to load and execute arbitrary Python code via LFI significantly expands the attack surface, allowing attackers to install malware, steal sensitive data, or disrupt services. The vulnerability’s location within an extension installation process makes it particularly concerning, as attackers could potentially inject malicious extensions to achieve persistent access.
CVE-2024-4320 was publicly disclosed on June 6, 2024. The vulnerability's ease of exploitation and the potential for significant impact suggest a medium probability of exploitation. No public proof-of-concept (POC) code has been publicly released as of this writing, but the vulnerability's nature makes it likely that POCs will emerge. It is not currently listed on the CISA KEV catalog.
Organizations deploying lollms-webui, particularly those running it in production environments or on systems containing sensitive data, are at significant risk. Shared hosting environments where multiple users share the same server are also particularly vulnerable, as a compromise of one user's installation could potentially impact others.
• linux / server:
journalctl -u lollms-webui -g 'install_extension' | grep -i 'file: ' # Look for suspicious file paths• generic web:
curl -I http://your-lollms-webui/install_extension?name=../../../../etc/passwd # Attempt LFI• python / supply-chain:
Inspect the ExtensionBuilder().build_extension() method in the lollms-webui source code for improper input validation.
disclosure
Status do Exploit
EPSS
63.98% (percentil 98%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2024-4320 is to immediately upgrade to a patched version of lollms-webui. Since a fixed version is not yet available, a temporary workaround involves disabling the /install_extension endpoint or implementing strict input validation on the name parameter to prevent the inclusion of arbitrary files. Consider using a Web Application Firewall (WAF) to filter requests containing suspicious filenames or paths. Monitor system logs for unusual file access patterns or attempts to execute Python code from unexpected locations. After applying any mitigation, verify its effectiveness by attempting to trigger the vulnerability with a benign payload and confirming that it is blocked.
Actualice la biblioteca parisneo/lollms-webui a la última versión disponible. Esto debería incluir la corrección para la vulnerabilidad de ejecución remota de código. Consulte el repositorio del proyecto o las notas de la versión para obtener más detalles sobre la actualización.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2024-4320 is a critical Remote Code Execution vulnerability in the /install_extension endpoint of lollms-webui, allowing attackers to execute arbitrary code via Local File Inclusion.
Yes, all versions of lollms-webui are currently considered affected by this vulnerability. Immediate action is required.
Upgrade to a patched version of lollms-webui as soon as it becomes available. Until then, disable the /install_extension endpoint or implement strict input validation.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests a medium probability of exploitation.
Refer to the parisneo/lollms-webui GitHub repository and associated security advisories for updates and official guidance.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo requirements.txt e descubra na hora se você está afetado.