CVE-2024-3121Code Injection in Lollms

CWE-94Code InjectionCWE-78OS Command Injection3 documents3 sources
Severity
3.3LOWNVD
EPSS
0.1%
top 64.50%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Parisneo LollmsLollms
Timeline
PublishedJun 24

Description

A remote code execution vulnerability exists in the create_conda_env function of the parisneo/lollms repository, version 5.9.0. The vulnerability arises from the use of shell=True in the subprocess.Popen function, which allows an attacker to inject arbitrary commands by manipulating the env_name and python_version parameters. This issue could lead to a serious security breach as demonstrated by the ability to execute the 'whoami' command among potentially other harmful commands.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 1.8 | Impact: 1.4

Affected Packages3 packages

CVEListV5parisneo/parisneo_lollmsunspecifiedlatest
PyPIlollms/lollms9.5.1
NVDlollms/lollms5.9.0

🔴Vulnerability Details

2
GHSA
Remote Code Execution in create_conda_env function in lollms2024-06-24
OSV
Remote Code Execution in create_conda_env function in lollms2024-06-24