CVE-2024-3121

Name of the Vulnerable Software and Affected Versions parisneo/lollms version 5.9.0

Description A remote code execution issue exists in the create conda env function due to the use of shell=True in the subprocess.Popen function. This allows an attacker to inject arbitrary commands by manipulating the env name and python version parameters, potentially leading to a serious security breach. The vulnerability is demonstrated by the ability to execute the 'whoami' command, among other potentially harmful commands.

Recommendations For version 5.9.0, consider disabling the create conda env function until a patch is available to prevent exploitation. Restrict access to the subprocess.Popen function with shell=True to minimize the risk of arbitrary command injection. Avoid using the env name and python version parameters in the affected function until the issue is resolved.