How severe is CVE-2024-2361?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.6 out of 10.

What type of vulnerability is CVE-2024-2361?

This is classified as CWE-29, which is a common weakness in software security.

CVE-2024-2361 - CRITICAL Severity | CVSS 9.6

Vulnerability Description

A vulnerability in the parisneo/lollms-webui allows for arbitrary file upload and read due to insufficient sanitization of user-supplied input. Specifically, the issue resides in the `install_model()` function within `lollms_core/lollms/binding.py`, where the application fails to properly sanitize the `file://` protocol and other inputs, leading to arbitrary read and upload capabilities. Attackers can exploit this vulnerability by manipulating the `path` and `variant_name` parameters to achieve path traversal, allowing for the reading of arbitrary files and uploading files to arbitrary locations on the server. This vulnerability affects the latest version of parisneo/lollms-webui.

Related Vulnerabilities

CVE-2024-2624

CRITICAL

CVSS:9.4(Critical)

A path traversal and arbitrary file upload vulnerability exists in the parisneo/lollms-webui application, specifically within the `@router.get("/switch_personal_path")` endpoint in `./lollms-webui/lol...

CWE-292024

CVE-2023-1177

CRITICAL

CVSS:9.8(Critical)

Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.2.1.

CWE-292023

CVE-2023-2780

CRITICAL

CVSS:9.8(Critical)

Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.3.1.

CWE-292023

CVE-2023-6975

CRITICAL

CVSS:9.8(Critical)

A malicious user could use this issue to get command execution on the vulnerable machine and get access to data & models information.

CWE-292023

CVE-2024-2358

CRITICAL

CVSS:9.8(Critical)

A path traversal vulnerability in the '/apply_settings' endpoint of parisneo/lollms-webui allows attackers to execute arbitrary code. The vulnerability arises due to insufficient sanitization of user-...

CWE-292024

CVE-2024-2360

CRITICAL

CVSS:9.8(Critical)

parisneo/lollms-webui is vulnerable to path traversal attacks that can lead to remote code execution due to insufficient sanitization of user-supplied input in the 'Database path' and 'PDF LaTeX path'...

CWE-292024