Lucene search

@huntr_aiCVE-2024-5616

HistoryJul 06, 2024 - 9:15 a.m.

CVE-2024-5616

2024-07-0609:15:02

CWE-352

@huntr_ai

web.nvd.nist.gov

csrf vulnerability

mudler/localai

model deletion

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

AI Score

4.7

Confidence

High

EPSS

Percentile

9.2%

JSON

A Cross-Site Request Forgery (CSRF) vulnerability exists in mudler/LocalAI versions up to and including 2.15.0, which allows attackers to trick victims into deleting installed models. By crafting a malicious HTML page, an attacker can cause the deletion of a model, such as ‘gpt-4-vision-preview’, without the victim’s consent. The vulnerability is due to insufficient CSRF protection mechanisms on the model deletion functionality.

Affected configurations

Vulners

Vulnrichment

Node

mudlerlocalaiMatch2.17

VendorProductVersionCPE
mudlerlocalai2.17cpe:2.3:a:mudler:localai:2.17:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
mudler	localai	2.17	cpe:2.3:a:mudler:localai:2.17:::::::*

CNA Affected

[
  {
    "vendor": "mudler",
    "product": "mudler/localai",
    "versions": [
      {
        "version": "unspecified",
        "lessThan": "2.17",
        "status": "affected",
        "versionType": "custom"
      }
    ]
  }
]

References

github.com/mudler/localai/commit/4e1463fec291612a59a16db60b3fd12d4c49d64b

huntr.com/bounties/fd753fb6-ba04-4dd8-abef-918fb97120af

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

AI Score

4.7

Confidence

High

EPSS

Percentile

9.2%

JSON

Related for CVE-2024-5616