Lucene search

[email protected]NVD:CVE-2024-5182

HistoryJun 20, 2024 - 12:15 a.m.

CVE-2024-5182

2024-06-2000:15:09

CWE-22

[email protected]

web.nvd.nist.gov

path traversal

mudler

localai

version 2.14.0

input validation

sanitization

model parameter

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

EPSS

0.001

Percentile

18.7%

JSON

A path traversal vulnerability exists in mudler/localai version 2.14.0, where an attacker can exploit the model parameter during the model deletion process to delete arbitrary files. Specifically, by crafting a request with a manipulated model parameter, an attacker can traverse the directory structure and target files outside of the intended directory, leading to the deletion of sensitive data. This vulnerability is due to insufficient input validation and sanitization of the model parameter.

Affected configurations

Nvd

Node

mudlerlocalaiRange<2.16.0

VendorProductVersionCPE
mudlerlocalai*cpe:2.3:a:mudler:localai:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
mudler	localai	*	cpe:2.3:a:mudler:localai::::::::

References

github.com/mudler/localai/commit/1a3dedece06cab1acc3332055d285ac540a47f0e

huntr.com/bounties/f7a87f29-c22a-48e8-9fce-b6d5a273e545

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

EPSS

0.001

Percentile

18.7%

JSON

Related for NVD:CVE-2024-5182

github1 cvelist1 vulnrichment1 veracode1 osv3 cve1