CVE-2024-6085 - OpenCVE

A path traversal vulnerability exists in the XTTS server included in the lollms package, version v9.6. This vulnerability arises from the ability to perform an unauthenticated root folder settings change. Although the read file endpoint is protected against path traversals, this protection can be bypassed by changing the root folder to '/'. This allows attackers to read arbitrary files on the system. Additionally, the output folders can be changed to write arbitrary audio files to any location on the system.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v2

Vendors & Products
CPE Configurations

No data.

No data.

References

Link	Resource
https://huntr.com/bounties/d2fb73d7-4b4f-451a-8763-484c189a27fe

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: @huntr_ai

Published: 2024-06-27T18:45:15.903Z

Updated: 2024-07-09T19:16:52.617Z

Reserved: 2024-06-17T17:39:09.676Z

Link: CVE-2024-6085

JSON object: View

NVD Information

Status : Awaiting Analysis

Published: 2024-06-27T19:15:19.287

Modified: 2024-06-27T19:25:12.067

Link: CVE-2024-6085

JSON object: View

Redhat Information

No data.

CWE

CWE-22

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-6085", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "state": "PUBLISHED", "assignerShortName": "@huntr_ai", "dateReserved": "2024-06-17T17:39:09.676Z", "datePublished": "2024-06-27T18:45:15.903Z", "dateUpdated": "2024-07-09T19:16:52.617Z"}, "containers": {"cna": {"title": "Path Traversal in parisneo/lollms", "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2024-06-27T18:45:15.903Z"}, "descriptions": [{"lang": "en", "value": "A path traversal vulnerability exists in the XTTS server included in the lollms package, version v9.6. This vulnerability arises from the ability to perform an unauthenticated root folder settings change. Although the read file endpoint is protected against path traversals, this protection can be bypassed by changing the root folder to '/'. This allows attackers to read arbitrary files on the system. Additionally, the output folders can be changed to write arbitrary audio files to any location on the system."}], "affected": [{"vendor": "parisneo", "product": "parisneo/lollms", "versions": [{"version": "unspecified", "status": "affected", "versionType": "custom", "lessThanOrEqual": "latest"}]}], "references": [{"url": "https://huntr.com/bounties/d2fb73d7-4b4f-451a-8763-484c189a27fe"}], "metrics": [{"cvssV3_0": {"version": "3.0", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "baseScore": 8.6, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22"}]}], "source": {"advisory": "d2fb73d7-4b4f-451a-8763-484c189a27fe", "discovery": "EXTERNAL"}}, "adp": [{"affected": [{"vendor": "parisneo", "product": "lollms", "cpes": ["cpe:2.3:a:parisneo:lollms:9.6:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "9.6", "status": "affected"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-05T14:03:35.429378Z", "id": "CVE-2024-6085", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-09T19:16:52.617Z"}}]}}