Threat Intelligence Threat Intelligence

Threat Intelligence Threat Intelligence

Changelog Changelog

Changelog Changelog

Start Free Trial

Start Free Trial

Threat Intelligence Threat Intelligence

Threat Intelligence Threat Intelligence

Changelog Changelog

Changelog Changelog

Start Free Trial

Start Free Trial

CVE-2024-5824
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
Published: Jun 27, 2024 / Updated: 4mo ago

010

No CVSS yetEPSS 0.04%

CVE info copied to clipboard

Summary

A path traversal vulnerability has been identified in the `/set_personality_config` endpoint of parisneo/lollms version 9.4.0. This vulnerability allows an attacker to overwrite the `configs/config.yaml` file, potentially leading to remote code execution by modifying server configuration properties such as `force_accept_remote_access` and `turn_on_code_validation`.

Impact

The impact of this vulnerability is severe. An attacker exploiting this vulnerability could gain unauthorized access to the system, potentially leading to remote code execution. This could result in complete compromise of the affected system, allowing the attacker to execute arbitrary code, modify or delete sensitive data, and potentially use the compromised system as a launching point for further attacks. The vulnerability affects the confidentiality, integrity, and availability of the system, all of which are rated as "HIGH" impact according to the CVSS score.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available for this vulnerability. The patch details were added on 2024-06-27, as indicated by the Github Advisory. Users should update to the latest version of parisneo/lollms that addresses this vulnerability.

Mitigation

To mitigate this vulnerability, the following steps are recommended: 1. Update parisneo/lollms to the latest patched version immediately. 2. If immediate updating is not possible, consider temporarily disabling the `/set_personality_config` endpoint until the update can be applied. 3. Implement strict input validation and sanitization for all user-supplied input, especially for file paths. 4. Apply the principle of least privilege to limit the potential impact of successful exploits. 5. Monitor system logs for any suspicious activities related to file access or configuration changes. 6. Regularly review and audit server configurations to ensure security settings haven't been compromised.

Timeline

CVE Assignment

NVD published the first details for CVE-2024-5824

Jun 27, 2024 at 7:15 PM

First Article

Feedly found the first article mentioning CVE-2024-5824. See article

Jun 27, 2024 at 7:21 PM / National Vulnerability Database

CVSS Estimate

Feedly estimated the CVSS score as HIGH

Jun 27, 2024 at 7:21 PM

EPSS

EPSS Score was set to: 0.04% (Percentile: 10.6%)

Jun 28, 2024 at 9:56 AM

CVSS

A CVSS base score of 7.4 has been assigned.

Jun 28, 2024 at 9:11 PM / github_advisories

Static CVE Timeline Graph

Patches

Github Advisory

+null more

Attack Patterns

CAPEC-126: Path Traversal

+null more

Vendor Advisory

[GHSA-m45c-v46h-c788] lollms path traversal vulnerability allows overriding of config.yaml file, leading to RCE

GitHub Advisory Database / 4mo

GitHub Security Advisory: GHSA-m45c-v46h-c788 Release Date: 2024-06-27 Update Date: 2024-06-28 Severity: High CVE-2024-5824 Base Score: 7.4 Vector String: CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Package Information Package: lollms Affected Versions: Patched Versions: 9.5.0 Description A path traversal vulnerability in the /set_personality_config endpoint of parisneo/lollms version 9.4.0 allows an attacker to overwrite the configs/config.yaml file.

News

[GHSA-m45c-v46h-c788] lollms path traversal vulnerability allows overriding of config.yaml file, leading to RCE

GitHub Advisory Database / 4mo

GitHub Security Advisory: GHSA-m45c-v46h-c788 Release Date: 2024-06-27 Update Date: 2024-06-28 Severity: High CVE-2024-5824 Base Score: 7.4 Vector String: CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Package Information Package: lollms Affected Versions: Patched Versions: 9.5.0 Description A path traversal vulnerability in the /set_personality_config endpoint of parisneo/lollms version 9.4.0 allows an attacker to overwrite the configs/config.yaml file.

NA - CVE-2024-5824 - A path traversal vulnerability in the...

Security-Database Alerts Monitor : Last 100 Alerts / 4mo

This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. CWE : Common Weakness Enumeration

CVE-2024-5824 | parisneo lollms up to 9.4.0 Configuration /set_personality_config path traversal

VulDB Recent Entries / 4mo

A vulnerability has been found in parisneo lollms up to 9.4.0 and classified as critical . Affected by this vulnerability is an unknown functionality of the file /set_personality_config of the component Configuration Handler . The manipulation leads to path traversal. This vulnerability is known as CVE-2024-5824 . The attack can be launched remotely. There is no exploit available.

National Vulnerability Database / 4mo

A path traversal vulnerability in the `/set_personality_config` endpoint of parisneo/lollms version 9.4.0 allows an attacker to overwrite the `configs/config.yaml` file. This can lead to remote code execution by changing server configuration properties such as `force_accept_remote_access` and `turn_on_code_validation`.

Vulners.com RSS Feed / 4mo

A path traversal vulnerability in the /set_personality_config endpoint of parisneo/lollms version 9.4.0 allows an attacker to overwrite the configs/config.yaml file. This can lead to remote code execution by changing server configuration properties such as force_accept_remote_access and...

See 1 more articles and social media posts

CVSS V3.1

Unknown

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence 30-day free trial