MEDIUM 6.8

GHSA-79h8-gxhq-q3jg

Remote Code Execution in create_conda_env function in lollms

Details

A remote code execution vulnerability exists in the create_conda_env function of the parisneo/lollms repository. The vulnerability arises from the use of shell=True in the subprocess.Popen function, which allows an attacker to inject arbitrary commands by manipulating the env_name and python_version parameters. This issue could lead to a serious security breach as demonstrated by the ability to execute the 'whoami' command among potentially other harmful commands.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / lollms

Introduced in: 0

No fixed version published yet for lollms (pip). Pin to a known-safe version or switch to an alternative.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-3121 [ADVISORY]
https://github.com/ParisNeo/lollms [PACKAGE]
https://huntr.com/bounties/db57c343-9b80-4c1c-9ab0-9eef92c9b27b [WEB]