THREATINT

We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Fathom (Privacy friendly web analytics)
Zendesk (Helpdesk and Chat)

Ok

Home | EN
Support
CVE
PUBLISHED

CVE-2024-4897

Remote Code Execution in parisneo/lollms-webui

Assigner@huntr_ai
Reserved2024-05-15
Published2024-07-02
Updated2024-07-03

Description

parisneo/lollms-webui, in its latest version, is vulnerable to remote code execution due to an insecure dependency on llama-cpp-python version llama_cpp_python-0.2.61+cpuavx2-cp311-cp311-manylinux_2_31_x86_64. The vulnerability arises from the application's 'binding_zoo' feature, which allows attackers to upload and interact with a malicious model file hosted on hugging-face, leading to remote code execution. The issue is linked to a known vulnerability in llama-cpp-python, CVE-2024-34359, which has not been patched in lollms-webui as of commit b454f40a. The vulnerability is exploitable through the application's handling of model files in the 'bindings_zoo' feature, specifically when processing gguf format model files.



HIGH: 8.4CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-76 Improper Neutralization of Equivalent Special Elements

Product status

Any version
affected

References

https://huntr.com/bounties/ecf386df-4b6a-40b2-9000-db0974355acc

cve.org CVE-2024-4897

nvd.nist.gov CVE-2024-4897

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-4897
Find us on
Data Privacy
Terms of Use
Logo Silicon Valley Europe
Logo BSI Allianz für Cyber-Sicherheit