CVE-2024-4897— LoLLMs 安全漏洞

Remote Code Execution in parisneo/lollms-webui

parisneo/lollms-webui, in its latest version, is vulnerable to remote code execution due to an insecure dependency on llama-cpp-python version llama_cpp_python-0.2.61+cpuavx2-cp311-cp311-manylinux_2_31_x86_64. The vulnerability arises from the application's 'binding_zoo' feature, which allows attackers to upload and interact with a malicious model file hosted on hugging-face, leading to remote code execution. The issue is linked to a known vulnerability in llama-cpp-python, CVE-2024-34359, which has not been patched in lollms-webui as of commit b454f40a. The vulnerability is exploitable through the application's handling of model files in the 'bindings_zoo' feature, specifically when processing gguf format model files.

N/A

等价特殊元素的转义处理不恰当

LoLLMs 安全漏洞

LoLLMs是Saifeddine ALOUI个人开发者的一个大型语言多模式系统的 Web UI。 LoLLMs 存在安全漏洞，该漏洞源于存在远程代码执行漏洞，允许攻击者上传托管在hugging-face上的恶意模型文件并与之交互。

N/A

N/A