parisneo lollms-webui up to 9.4 /reinstall_extension ExtensionBuilder.build_extension data.name path traversal

Summaryinfo

A vulnerability, which was classified as critical, has been found in parisneo lollms-webui up to 9.4. This impacts the function ExtensionBuilder.build_extension of the file /reinstall_extension. The manipulation of the argument data.name leads to path traversal. This vulnerability is referenced as CVE-2024-2356. Remote exploitation of the attack is possible. No exploit is available. It is advisable to upgrade the affected component.

Detailsinfo

A vulnerability was found in parisneo lollms-webui up to 9.4 and classified as critical. This issue affects the function ExtensionBuilder.build_extension of the file /reinstall_extension. The manipulation of the argument data.name with an unknown input leads to a path traversal vulnerability. Using CWE to declare the problem leads to CWE-29. The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\..\filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

A Local File Inclusion (LFI) vulnerability exists in the '/reinstall_extension' endpoint of the parisneo/lollms-webui application, specifically within the `name` parameter of the `@router.post("/reinstall_extension")` route. This vulnerability allows attackers to inject a malicious `name` parameter, leading to the server loading and executing arbitrary Python files from the upload directory for discussions. This issue arises due to the concatenation of `data.name` directly with `lollmsElfServer.lollms_paths.extensions_zoo_path` and its use as an argument for `ExtensionBuilder().build_extension()`. The server's handling of the `__init__.py` file in arbitrary locations, facilitated by `importlib.machinery.SourceFileLoader`, enables the execution of arbitrary code, such as command execution or creating a reverse-shell connection. This vulnerability affects the latest version of parisneo/lollms-webui and can lead to Remote Code Execution (RCE) when the application is exposed to an external endpoint or the UI, especially when bound to `0.0.0.0` or in `headless mode`. No user interaction is required for exploitation.

It is possible to read the advisory at huntr.com. The identification of this vulnerability is CVE-2024-2356 since 03/09/2024. The exploitation is known to be easy. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. It demands that the victim is doing some kind of user interaction. Technical details of the vulnerability are known, but there is no available exploit. The attack technique deployed by this issue is T1006 according to MITRE ATT&CK.

Upgrading to version 9.5 eliminates this vulnerability. Applying the patch 41dbb1b3f2e78ea276e5269544e50514252c0c25 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2024-27309). Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Vendor

• parisneo

Name

• lollms-webui

Version

• 9.0
• 9.1
• 9.2
• 9.3
• 9.4

License

• open-source

Website

• Product: https://github.com/parisneo/lollms-webui/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion