CVE-2024-2361
Published: 16 May 2024
Summary
CVE-2024-2361 is a critical-severity Path Traversal: '\..\filename' (CWE-29) vulnerability in Lollms Lollms Web Ui. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 42.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Other Platforms; in the Supply Chain and Deployment risk domain; MITRE ATLAS techniques in scope: Adversarial AI Attack Implementations (AML.T0016.000), Hardware (AML.T0010.000), Infer Training Data Membership (AML.T0024.000).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-27314
Vulnerability details
A vulnerability in the parisneo/lollms-webui allows for arbitrary file upload and read due to insufficient sanitization of user-supplied input. Specifically, the issue resides in the `install_model()` function within `lollms_core/lollms/binding.py`, where the application fails to properly sanitize the `file://` protocol and…
more
other inputs, leading to arbitrary read and upload capabilities. Attackers can exploit this vulnerability by manipulating the `path` and `variant_name` parameters to achieve path traversal, allowing for the reading of arbitrary files and uploading files to arbitrary locations on the server. This vulnerability affects the latest version of parisneo/lollms-webui.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- parisneo/lollms-webui is a web UI platform for running and managing Large Language Models (LLMs), fitting under 'Other Platforms' as it provides a user interface and bindings for AI model deployment and interaction, not strictly a framework, library, or specific AI subdomain like NLP Transformers or Computer Vision.
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The path traversal vulnerability in a public-facing web UI (T1190) enables arbitrary file reads for data exfiltration (T1005), file discovery (T1083), and credential theft from files (T1552.001), and arbitrary uploads for web shell deployment (T1100).
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.