Critical

lollms

Path Traversal Leading to Remote Code Execution in Extension Mounting Function

A vulnerability in the parisneo/lollms software, specifically within the `ExtensionBuilder().build_extension()` function, allows for remote code execution through a path traversal bypass. This issue, identified as CVE-2024-4320, affects versions up to 5.9.0 and was patched in version 9.8.

Available publicly on Jun 22 2024

9.8

CVE:

CVE-2024-5443

CWE:

29:Path Traversal: '\..\filename'

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Credit:

nhienit2010
AssessDetect

Premium

Remediate
Remediation Steps
  • Update to version 9.8 or later to patch the vulnerability.
  • Review and sanitize all input parameters rigorously to prevent path traversal.
  • Implement additional checks to ensure that only authorized files can be executed as extensions.
  • Regularly audit and monitor extension mounting requests for suspicious activity.
Patch Details
  • Fixed Version: 9.8
  • Patch Commit: https://github.com/ParisNeo/lollms/commit/2d0c4e76be93195836ecd0948027e791b8a2626f
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.