CVE-2024-3429

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-3429

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-3429.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-3429

Aliases

GHSA-3x47-w4rx-6pm7

Published

2024-06-06T19:16:02Z

Modified

2025-07-02T00:30:20.186694Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

A path traversal vulnerability exists in the parisneo/lollms application, specifically within the sanitize_path_from_endpoint and sanitize_path functions in lollms_core\lollms\security.py. This vulnerability allows for arbitrary file reading when the application is running on Windows. The issue arises due to insufficient sanitization of user-supplied input, enabling attackers to bypass the path traversal protection mechanisms by crafting malicious input. Successful exploitation could lead to unauthorized access to sensitive files, information disclosure, and potentially a denial of service (DoS) condition by including numerous large or resource-intensive files. This vulnerability affects the latest version prior to 9.6.

References

Affected packages

Git / github.com/parisneo/lollms

Affected ranges

Type: GIT
Repo: https://github.com/parisneo/lollms
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

f4424cfc3d6dfb3ad5ac17dd46801efe784933e9

Affected versions

v5.*

v5.9.0