CVE-2024-4315

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') (CWE-98)

Published: Jun 12, 2024 / Updated: 5mo ago

010
No CVSS yetEPSS 0.04%
CVE info copied to clipboard

Summary

parisneo/lollms version 9.5 is vulnerable to Local File Inclusion (LFI) attacks due to insufficient path sanitization. The `sanitize_path_from_endpoint` function fails to properly sanitize Windows-style paths (backward slash `\`), allowing attackers to perform directory traversal attacks on Windows systems. This can be exploited through various routes to read or delete any file on the Windows filesystem, compromising system availability.

Impact

Attackers can read sensitive files like configuration files with credentials, or delete critical system files, leading to denial of service conditions. This can fully compromise the confidentiality and availability of the affected Windows system running lollms 9.5.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A fix is available from the Github advisory at https://github.com/advisories/GHSA-vqwr-q6cc-c242. Upgrade to the patched version to remediate this vulnerability.

Mitigation

As a workaround, restrict access to the vulnerable `personalities` and `/del_preset` routes. Implement strict input validation and path sanitization for all user input. Consider a web application firewall to protect against LFI and path traversal attacks.

Timeline

CVE Assignment

NVD published the first details for CVE-2024-4315

Jun 12, 2024 at 1:15 AM
First Article

Feedly found the first article mentioning CVE-2024-4315. See article

Jun 12, 2024 at 1:22 AM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Jun 12, 2024 at 1:22 AM
CVSS

A CVSS base score of 9.1 has been assigned.

Jun 12, 2024 at 5:20 PM / github_advisories
EPSS

EPSS Score was set to: 0.04% (Percentile: 9%)

Jun 13, 2024 at 3:50 PM
Static CVE Timeline Graph

Patches

Github Advisory
+null more

Attack Patterns

CAPEC-193: PHP Remote File Inclusion
+null more

Vendor Advisory

[GHSA-vqwr-q6cc-c242] parisneo/lollms Local File Inclusion (LFI) attack
GitHub Security Advisory: GHSA-vqwr-q6cc-c242 Release Date: 2024-06-12 Update Date: 2024-06-12 Severity: Critical CVE-2024-4315 Base Score: 9.1 Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H Package Information Package: lollms Affected Versions: Patched Versions: 9.5.0 Description parisneo/lollms version 9.5 is vulnerable to Local File Inclusion (LFI) attacks due to insufficient path sanitization.

News

New critical vulnerabilities reported in Open Source AI/ML tools
Protect AI reports critical vulnerabilities discovered in various open-source AI/ML. CVE-2024-3429 (CVSS score 9.8) : Arbitrary file reading via path traversal in LoLLMs. Recommendations: Upgrade to version 9.6.
[GHSA-vqwr-q6cc-c242] parisneo/lollms Local File Inclusion (LFI) attack
GitHub Security Advisory: GHSA-vqwr-q6cc-c242 Release Date: 2024-06-12 Update Date: 2024-06-12 Severity: Critical CVE-2024-4315 Base Score: 9.1 Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H Package Information Package: lollms Affected Versions: Patched Versions: 9.5.0 Description parisneo/lollms version 9.5 is vulnerable to Local File Inclusion (LFI) attacks due to insufficient path sanitization.
NA - CVE-2024-4315 - parisneo/lollms version 9.5 is vulnerable to...
parisneo/lollms version 9.5 is vulnerable to Local File Inclusion (LFI) attacks due to insufficient path sanitization. The `sanitize_path_from_endpoint` function fails to properly sanitize...
CVE-2024-4315 | parisneo lollms up to 9.7 sanitize_path_from_endpoint filename control
A vulnerability was found in parisneo lollms up to 9.7 . It has been declared as critical . Affected by this vulnerability is the function sanitize_path_from_endpoint . The manipulation leads to improper control of filename for include/require statement in php program ('php remote file inclusion'). This vulnerability is known as CVE-2024-4315 . The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.
CVE-2024-4315
Gravedad 3.1 (CVSS 3.1 Base Score) Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
See 5 more articles and social media posts

CVSS V3.1

Unknown

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI