Lucene search

HistoryJun 07, 2024 - 12:00 a.m.

Ollama < 0.1.34 Improper Input Validation

2024-06-0700:00:00

www.tenable.com

ollama

improper input validation

vulnerability

nessus

remote host

model path

test cases

mishandles

sha256

9.6 High

AI Score

Confidence

High

0 Low

EPSS

Percentile

0.0%

JSON

The version of Ollama installed on the remote host is prior to 0.1.34. It is, therefore, affected by an improper input validation vulnerability. Ollama before 0.1.34 does not validate the format of the digest (sha256 with 64 hex digits) when getting the model path, and thus mishandles the TestGetBlobsPath test cases such as fewer than 64 hex digits, more than 64 hex digits, or an initial …/ substring.

Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(200185);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/25");

  script_cve_id("CVE-2024-37032");
  script_xref(name:"IAVB", value:"2024-B-0072");

  script_name(english:"Ollama < 0.1.34 Improper Input Validation");

  script_set_attribute(attribute:"synopsis", value:
"The Ollama instance installed on the remote host is affected by an improper input validation vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of Ollama installed on the remote host is prior to 0.1.34. It is, therefore, affected by an improper input
validation vulnerability. Ollama before 0.1.34 does not validate the format of the digest (sha256 with 64 hex digits)
when getting the model path, and thus mishandles the TestGetBlobsPath test cases such as fewer than 64 hex digits, more
than 64 hex digits, or an initial ../ substring.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://github.com/advisories/GHSA-8hqg-whrw-pv92");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Ollama version 0.1.34 or later.");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-37032");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/05/31");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/05/31");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/06/07");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"x-cpe:/a:ollama:ollama");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ollama_mac_installed.nbin");
  script_require_keys("installed_sw/ollama");

  exit(0);
}

include('vcf.inc');

var app_info = vcf::get_app_info(app:'ollama');

var constraints = [
  {'fixed_version': '0.1.34'}
];

vcf::check_version_and_report(
    app_info:app_info,
    constraints:constraints,
    severity:SECURITY_WARNING
);

VendorProductVersionCPE
ollamaollamax-cpe:/a:ollama:ollama

Vendor	Product	Version	CPE
ollama	ollama		x-cpe:/a:ollama:ollama

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37032

github.com/advisories/GHSA-8hqg-whrw-pv92