8.4
CVE-2024-4897
- EPSS 1.1%
- Veröffentlicht 02.07.2024 15:15:11
- Zuletzt bearbeitet 09.07.2025 14:22:10
- Quelle security@huntr.dev
- CVE-Watchlists
- Unerledigt
Loginparisneo/lollms-webui, in its latest version, is vulnerable to remote code execution due to an insecure dependency on llama-cpp-python version llama_cpp_python-0.2.61+cpuavx2-cp311-cp311-manylinux_2_31_x86_64. The vulnerability arises from the application's 'binding_zoo' feature, which allows attackers to upload and interact with a malicious model file hosted on hugging-face, leading to remote code execution. The issue is linked to a known vulnerability in llama-cpp-python, CVE-2024-34359, which has not been patched in lollms-webui as of commit b454f40a. The vulnerability is exploitable through the application's handling of model files in the 'bindings_zoo' feature, specifically when processing gguf format model files.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Lollms ≫ Lollms Web Ui Version < 9.8
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.1% | 0.773 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security@huntr.dev | 8.4 | 2.5 | 5.9 |
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-76 Improper Neutralization of Equivalent Special Elements
The product correctly neutralizes certain special elements, but it improperly neutralizes equivalent special elements.