CVE-2024-2548 — Absolute Path Traversal in Lollms-webui

CWE-36 — Absolute Path Traversal CWE-22 — Path Traversal2 documents2 sources

Severity

7.5HIGHNVD

EPSS

0.2%

top 53.95%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Parisneo Lollms-webui Lollms WEB UI

Timeline

PublishedJun 6

Description

A path traversal vulnerability exists in the parisneo/lollms-webui application, specifically within the `lollms_core/lollms/server/endpoints/lollms_binding_files_server.py` and `lollms_core/lollms/security.py` files. Due to inadequate validation of file paths between Windows and Linux environments using `Path(path).is_absolute()`, attackers can exploit this flaw to read any file on the system. This issue affects the latest version of LoLLMs running on the Windows platform. The vulnerability is t…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5parisneo/parisneo_lollms-webuiunspecified — 9.5

▶NVDlollms/lollms_web_ui< 9.5

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-4qvc-c86c-g9qp: A path traversal vulnerability exists in the parisneo/lollms-webui application, specifically within the `lollms_core/lollms/server/endpoints/lollms_bi↗2024-06-06

▶