CVE-2024-3121

LOW

parisneo/lollms 5.9.0 - RCE

Title source: llm

Description

A remote code execution vulnerability exists in the create_conda_env function of the parisneo/lollms repository, version 5.9.0. The vulnerability arises from the use of shell=True in the subprocess.Popen function, which allows an attacker to inject arbitrary commands by manipulating the env_name and python_version parameters. This issue could lead to a serious security breach as demonstrated by the ability to execute the 'whoami' command among potentially other harmful commands.

Exploits (1)

nomisec WORKING POC

by dark-ninja10 · poc

https://github.com/dark-ninja10/CVE-2024-3121

View Code ZIP pw:eip

References (1)

[Exploit, Third Party Advisory] https://huntr.com/bounties/db57c343-9b80-4c1c-9ab0-9eef92c9b27b

Scores

CVSS v3 3.3

EPSS 0.0015

EPSS Percentile 35.2%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Details

CWE

CWE-78 CWE-94

Status published

Products (2)

lollms/lollms 5.9.0

pypi/lollms 0PyPI

Published Jun 24, 2024

Tracked Since Feb 18, 2026