Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2024-6971

LOW
Published 2024-10-11T12:14:13.156Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2024-6971. We'll provide specific mitigation strategies based on your environment and risk profile.

CVSS Score

V3.0
3.4
/10
CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L
Base Score Metrics
Exploitability: N/A Impact: N/A

EPSS Score

v2025.03.14
0.000
probability
of exploitation in the wild

There is a 0.0% chance that this vulnerability will be exploited in the wild within the next 30 days.

Updated: 2025-06-25
Exploit Probability
Percentile: 0.064
Higher than 6.4% of all CVEs

Attack Vector Metrics

Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED

Impact Metrics

Confidentiality
NONE
Integrity
LOW
Availability
LOW

Description

A path traversal vulnerability exists in the parisneo/lollms-webui repository, specifically in the `lollms_file_system.py` file. The functions `add_rag_database`, `toggle_mount_rag_database`, and `vectorize_folder` do not implement security measures such as `sanitize_path_from_endpoint` or `sanitize_path`. This allows an attacker to perform vectorize operations on `.sqlite` files in any directory on the victim's computer, potentially installing multiple packages and causing a crash.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

parisneo

parisneo/lollms

Affected Versions:

unspecified
parisneo

lollms

Affected Versions:

0

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed LOW

Lord of Large Language Models (LoLLMs) Server path traversal vulnerability in lollms_file_system.py

GHSA-7pgr-32fx-c6x9

Advisory Details

A path traversal vulnerability exists in the ParisNeo/lollms repository, specifically in the `lollms_file_system.py` file. The functions `add_rag_database`, `toggle_mount_rag_database`, and `vectorize_folder` do not implement security measures such as `sanitize_path_from_endpoint` or `sanitize_path`. This allows an attacker to perform vectorize operations on `.sqlite` files in any directory on the victim's computer, potentially installing multiple packages and causing a crash.

Affected Packages

PyPI lollms
ECOSYSTEM: ≥0 ≤9.5.1

CVSS Scoring

CVSS Score

2.5

CVSS Vector

CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-6971
WEB https://github.com/ParisNeo/lollms/commit/aeace796d861e922133b769710019608a6363264
PACKAGE https://github.com/ParisNeo/lollms
WEB https://huntr.com/bounties/fbfe7cd0-99fb-4305-bd07-8b573364109e

Advisory provided by GitHub Security Advisory Database. Published: October 11, 2024, Modified: October 11, 2024

References

https://huntr.com/bounties/fbfe7cd0-99fb-4305-bd07-8b573364109e
Published: 2024-10-11T12:14:13.156Z
Last Modified: 2024-10-11T14:34:23.637Z
Copied to clipboard!