CVE-2024-4897
July 2, 2024, 5:44 p.m.
Tags
CVSS Score
Product(s) Impacted
parisneo/lollms-webui
- latest version
llama-cpp-python
- llama_cpp_python-0.2.61+cpuavx2-cp311-cp311-manylinux_2_31_x86_64
Description
parisneo/lollms-webui, in its latest version, is vulnerable to remote code execution due to an insecure dependency on llama-cpp-python version llama_cpp_python-0.2.61+cpuavx2-cp311-cp311-manylinux_2_31_x86_64. The vulnerability arises from the application's 'binding_zoo' feature, which allows attackers to upload and interact with a malicious model file hosted on hugging-face, leading to remote code execution. The issue is linked to a known vulnerability in llama-cpp-python, CVE-2024-34359, which has not been patched in lollms-webui as of commit b454f40a. The vulnerability is exploitable through the application's handling of model files in the 'bindings_zoo' feature, specifically when processing gguf format model files.
Weaknesses
CWE-76
Improper Neutralization of Equivalent Special Elements
The product correctly neutralizes certain special elements, but it improperly neutralizes equivalent special elements.
CWE ID: 76Date
Published: July 2, 2024, 3:15 p.m.
Last Modified: July 2, 2024, 5:44 p.m.
Status : Awaiting Analysis
CVE has been recently published to the CVE List and has been received by the NVD.
More infoSource
security@huntr.dev
CVSS Data
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
Base Score
Exploitability Score
Impact Score
Base Severity
HIGHCVSS Vector String
The CVSS vector string provides an in-depth view of the vulnerability metrics.
View Vector StringCVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H