AVID-2026-R1461

Description

Remote Code Execution in create_conda_env function in parisneo/lollms (CVE-2024-3121)

Details

A remote code execution vulnerability exists in the create_conda_env function of the parisneo/lollms repository, version 5.9.0. The vulnerability arises from the use of shell=True in the subprocess.Popen function, which allows an attacker to inject arbitrary commands by manipulating the env_name and python_version parameters. This issue could lead to a serious security breach as demonstrated by the ability to execute the ‘whoami’ command among potentially other harmful commands.

Reason for inclusion in AVID: CVE-2024-3121 describes a remote code execution flaw in parisneo/lollms’s create_conda_env using shell=True in subprocess.Popen, enabling arbitrary commands via controlled env_name/python_version. This vulnerability resides in software used to build/run AI models (Lollms), impacting the AI software stack and environments. It constitutes a software supply-chain risk for general-purpose AI systems since an attacker could exploit environment creation during installation/deployment. The CVE text provides explicit RCE potential and affected code path.

References

• NVD entry
• https://huntr.com/bounties/db57c343-9b80-4c1c-9ab0-9eef92c9b27b

Affected or Relevant Artifacts

• Developer: parisneo
• Deployer: parisneo
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2024-06-24
• Version: 0.3.3
• AVID Entry