CVE-2024-3121— Remote Code Execution in create_conda_env function in parisneo/lollms
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-3121
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Remote Code Execution in create_conda_env function in parisneo/lollms
Source: NVD (National Vulnerability Database)
Vulnerability Description
A remote code execution vulnerability exists in the create_conda_env function of the parisneo/lollms repository, version 5.9.0. The vulnerability arises from the use of shell=True in the subprocess.Popen function, which allows an attacker to inject arbitrary commands by manipulating the env_name and python_version parameters. This issue could lead to a serious security breach as demonstrated by the ability to execute the 'whoami' command among potentially other harmful commands.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
对生成代码的控制不恰当(代码注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
LoLLMs 代码注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
LoLLMs是Saifeddine ALOUI个人开发者的一个大型语言多模式系统的 Web UI。 LoLLMs 5.9.0版本存在代码注入漏洞,该漏洞源于存在远程代码执行漏洞,允许攻击者通过env_name和python_version参数注入任意命令。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| parisneo | parisneo/lollms | unspecified ~ latest | - |
II. Public POCs for CVE-2024-3121
| # | POC Description | Source Link | Shenlong Link |
|---|---|---|---|
| 1 | Remote Code Execution in create_conda_env function in parisneo/lollms | https://github.com/dark-ninja10/CVE-2024-3121 | POC Details |
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2024-3121
请登录查看更多情报信息。
Same Patch Batch · parisneo · 2024-06-24 · 3 CVEs total
| CVE-2024-4499 | CSRF Vulnerability in parisneo/lollms XTTS Server | |
| CVE-2024-4839 | CSRF in Servers Configurations in parisneo/lollms-webui |
IV. Related Vulnerabilities
Same product: parisneo/lollms
Same vendor: parisneo
Same weakness: CWE-94
- CVE-2021-47939
Evolution CMS 3.1.6 Authenticated Remote Code Execution via - CVE-2021-47938
ImpressCMS 1.4.2 Remote Code Execution via Autotasks - CVE-2021-47935
Sentry 8.2.0 Remote Code Execution via Pickle Deserializatio - CVE-2022-50944
Aero CMS 0.0.1 PHP Code Injection via posts.php - CVE-2026-8211
codelibs Fess JSP File AdminDesignAction.java update code in
V. Comments for CVE-2024-3121
No comments yet