CVE-2024-3121

EIP tracks 1 public exploit for CVE-2024-3121. PoCs published by dark-ninja10.

AI-analyzed exploit summary The repository contains a functional exploit for CVE-2024-3121, demonstrating a shell injection vulnerability in the `create_conda_env` function of the `lollms` framework. The exploit leverages unsanitized input in the `env_name` parameter to execute arbitrary commands via `subprocess.Popen` with `shell=True`.

A remote code execution vulnerability exists in the create_conda_env function of the parisneo/lollms repository, version 5.9.0. The vulnerability arises from the use of shell=True in the subprocess.Popen function, which allows an attacker to inject arbitrary commands by manipulating the env_name and python_version parameters. This issue could lead to a serious security breach as demonstrated by the ability to execute the 'whoami' command among potentially other harmful commands.