CVE-2024-4330
Published: 30 May 2024
Summary
CVE-2024-4330 is a low-severity Relative Path Traversal (CWE-23) vulnerability in Lollms Lollms Web Ui. Its CVSS base score is 3.3 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique File and Directory Discovery (T1083); ranked at the 31.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Other Platforms; in the Privacy and Disclosure risk domain; MITRE ATLAS techniques in scope: Obtain Capabilities (AML.T0016).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-2008
Vulnerability details
A path traversal vulnerability was identified in the parisneo/lollms-webui repository, specifically within version 9.6. The vulnerability arises due to improper handling of user-supplied input in the 'list_personalities' endpoint. By crafting a malicious HTTP request, an attacker can traverse the directory…
more
structure and view the contents of any folder, albeit limited to subfolder names only. This issue was demonstrated via a specific HTTP request that manipulated the 'category' parameter to access arbitrary directories. The vulnerability is present in the code located at the 'endpoints/lollms_advanced.py' file.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- The vulnerability affects parisneo/lollms-webui, a web UI platform for running large language models (LLMs) locally with features like personalities, which qualifies as an other AI platform.
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal vulnerability enables exploitation of public-facing web application (T1190) for file and directory discovery (T1083) by listing subfolder names in arbitrary directories.
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.