AVID-2026-R1430

Description

Path Traversal leading to Remote Code Execution in parisneo/lollms-webui (CVE-2024-2358)

Details

A path traversal vulnerability in the ‘/apply_settings’ endpoint of parisneo/lollms-webui allows attackers to execute arbitrary code. The vulnerability arises due to insufficient sanitization of user-supplied input in the configuration settings, specifically within the ‘extensions’ parameter. Attackers can exploit this by crafting a payload that includes relative path traversal sequences ('../../../'), enabling them to navigate to arbitrary directories. This flaw subsequently allows the server to load and execute a malicious ‘init.py’ file, leading to remote code execution. The issue affects the latest version of parisneo/lollms-webui.

Reason for inclusion in AVID: CVE-2024-2358 describes a path traversal vulnerability in parisneo/lollms-webui leading to remote code execution by loading a malicious init.py. This is a software vulnerability affecting an AI software stack component used to deploy/run AI systems, i.e., part of the general-purpose AI supply chain. The issue is security-related (RCE) and the report provides explicit vulnerability details and evidence.

References

• NVD entry
• https://huntr.com/bounties/b2771df3-be50-45bd-93c4-0974ce38bc22

Affected or Relevant Artifacts

• Developer: parisneo
• Deployer: parisneo
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2024-05-16
• Version: 0.3.3
• AVID Entry