CVE-2024-6971
📋 TL;DR
A path traversal vulnerability in the lollms-webui allows attackers to perform vectorize operations on arbitrary .sqlite files on the victim's computer. This can lead to unauthorized package installations and system crashes. Users of the affected lollms-webui software are impacted.
💻 Affected Systems
- parisneo/lollms-webui
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains arbitrary file write/read capabilities, installs malicious packages, crashes the system, and potentially achieves remote code execution through package installation.
Likely Case
Unauthorized vectorization of sensitive .sqlite files, potential data corruption, and system instability leading to service disruption.
If Mitigated
Limited impact with proper file permissions and network segmentation, potentially only affecting non-critical files.
🎯 Exploit Status
Exploitation requires access to the vulnerable functions, which typically require some level of authentication in the web UI.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check the repository for latest patched version
Vendor Advisory: https://huntr.com/bounties/fbfe7cd0-99fb-4305-bd07-8b573364109e
Restart Required: Yes
Instructions:
1. Update to the latest version of lollms-webui from the official repository. 2. Verify the patch includes path sanitization in the affected functions. 3. Restart the lollms-webui service.
🔧 Temporary Workarounds
Disable vulnerable functions
allTemporarily disable or restrict access to the add_rag_database, toggle_mount_rag_database, and vectorize_folder functions.
Modify configuration to disable these endpoints or implement access controls
Implement file permission restrictions
linuxRun lollms-webui with minimal file system permissions using containerization or restricted user accounts.
docker run --read-only -v /safe/path:/data lollms-webui
sudo -u restricted_user python app.py
🧯 If You Can't Patch
- Implement strict network access controls to limit who can access the lollms-webui interface
- Monitor file system access logs for unusual .sqlite file operations from the lollms-webui process
🔍 How to Verify
Check if Vulnerable:
Review the lollms_file_system.py file and check if add_rag_database, toggle_mount_rag_database, and vectorize_folder functions use sanitize_path or sanitize_path_from_endpoint.Check Version:
Check the repository commit history or version file in the lollms-webui installation directoryVerify Fix Applied:
Verify the patched version includes proper path sanitization in the vulnerable functions and test with controlled path traversal attempts.📡 Detection & Monitoring
Log Indicators:
- Unusual .sqlite file access patterns
- Multiple package installation attempts from lollms-webui
- Path traversal patterns in request logs
Network Indicators:
- Unusual requests to the vulnerable endpoints with path traversal payloads
SIEM Query:
source="lollms-webui" AND (path LIKE "%..%" OR file_access="*.sqlite")