Lucene search

@huntr_aiCVELIST:CVE-2024-5616

HistoryJul 06, 2024 - 8:38 a.m.

CVE-2024-5616 CSRF Vulnerability in mudler/LocalAI

2024-07-0608:38:02

CWE-352

@huntr_ai

www.cve.org

cross-site request forgery

mudler/localai

model deletion

insufficient protection

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

EPSS

Percentile

9.2%

JSON

A Cross-Site Request Forgery (CSRF) vulnerability exists in mudler/LocalAI versions up to and including 2.15.0, which allows attackers to trick victims into deleting installed models. By crafting a malicious HTML page, an attacker can cause the deletion of a model, such as ‘gpt-4-vision-preview’, without the victim’s consent. The vulnerability is due to insufficient CSRF protection mechanisms on the model deletion functionality.

CNA Affected

[
  {
    "vendor": "mudler",
    "product": "mudler/localai",
    "versions": [
      {
        "version": "unspecified",
        "lessThan": "2.17",
        "status": "affected",
        "versionType": "custom"
      }
    ]
  }
]

References

github.com/mudler/localai/commit/4e1463fec291612a59a16db60b3fd12d4c49d64b

huntr.com/bounties/fd753fb6-ba04-4dd8-abef-918fb97120af

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

EPSS

Percentile

9.2%

JSON

Related for CVELIST:CVE-2024-5616