We use cookies to improve your experience on our site.
AVID-2026-R1414
Description
Path Traversal Vulnerability in parisneo/lollms-webui (CVE-2024-2178)
Details
A path traversal vulnerability exists in the parisneo/lollms-webui, specifically within the ‘copy_to_custom_personas’ endpoint in the ‘lollms_personalities_infos.py’ file. This vulnerability allows attackers to read arbitrary files by manipulating the ‘category’ and ‘name’ parameters during the ‘Copy to custom personas folder for editing’ process. By inserting ‘../’ sequences in these parameters, attackers can traverse the directory structure and access files outside of the intended directory. Successful exploitation results in unauthorized access to sensitive information.
Reason for inclusion in AVID: CVE-2024-2178 describes a path traversal vulnerability in parisneo/lollms-webui, an AI web UI component used to deploy/run general-purpose AI models. It affects software used in AI system deployment, constitutes a security vulnerability (read arbitrary files), and the report provides clear signal (description, affected component, CVSS metrics). This satisfies all four label checks.
References
Affected or Relevant Artifacts
- Developer: parisneo
- Deployer: parisneo
- Artifact Details:
| Type | Name |
|---|---|
| System | parisneo/lollms-webui |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.0 |
| Vector String | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| Base Score | 7.5 |
| Base Severity | 🔴 High |
| Attack Vector | NETWORK |
| Attack Complexity | 🟢 Low |
| Privileges Required | NONE |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | 🔴 High |
| Integrity Impact | NONE |
| Availability Impact | NONE |
CWE
| ID | Description |
|---|---|
| CWE-29 | CWE-29 Path Traversal: ‘..\filename’ |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2024-06-02
- Version: 0.3.3
- AVID Entry