CVE-2024-6394
Published: 30 September 2024
Summary
CVE-2024-6394 is a high-severity Path Traversal: '\..\filename' (CWE-29) vulnerability in Lollms Lollms Web Ui. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 33.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Other Platforms; in the Privacy and Disclosure risk domain; MITRE ATLAS techniques in scope: Obtain Capabilities (AML.T0016), Exfiltration via AI Inference API (AML.T0024).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-47500
Vulnerability details
A Local File Inclusion vulnerability exists in parisneo/lollms-webui versions below v9.8. The vulnerability is due to unverified path concatenation in the `serve_js` function in `app.py`, which allows attackers to perform path traversal attacks. This can lead to unauthorized access to…
more
arbitrary files on the server, potentially exposing sensitive information such as private SSH keys, configuration files, and source code.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- parisneo/lollms-webui is a web user interface platform for running and managing Large Language Models (LLMs) locally, qualifying as an AI-related platform for model interaction and deployment.
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
LFI via path traversal in web app enables exploitation of public-facing application (T1190) to read arbitrary local files, facilitating data collection (T1005), credentials in files (T1081, T1552.001), and private keys like SSH keys (T1552.004).
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.