CVE-2024-5182 Path Traversal in mudler/localai

2024-06-1923:30:38

CWE-22

@huntr_ai

www.cve.org

cve-2024-5182

path traversal

mudler/localai

input validation

sanitization

model deletion

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

18.7%

JSON

A path traversal vulnerability exists in mudler/localai version 2.14.0, where an attacker can exploit the model parameter during the model deletion process to delete arbitrary files. Specifically, by crafting a request with a manipulated model parameter, an attacker can traverse the directory structure and target files outside of the intended directory, leading to the deletion of sensitive data. This vulnerability is due to insufficient input validation and sanitization of the model parameter.

CNA Affected

[
  {
    "vendor": "mudler",
    "product": "mudler/localai",
    "versions": [
      {
        "version": "unspecified",
        "lessThan": "2.16.0",
        "status": "affected",
        "versionType": "custom"
      }
    ]
  }
]