Lucene search

GoogleOSV:CVE-2024-5182

HistoryJun 20, 2024 - 12:15 a.m.

CVE-2024-5182

2024-06-2000:15:09

Google

osv.dev

path traversal

vulnerability

mudler/localai

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

6.7 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

10.6%

JSON

A path traversal vulnerability exists in mudler/localai version 2.14.0, where an attacker can exploit the model parameter during the model deletion process to delete arbitrary files. Specifically, by crafting a request with a manipulated model parameter, an attacker can traverse the directory structure and target files outside of the intended directory, leading to the deletion of sensitive data. This vulnerability is due to insufficient input validation and sanitization of the model parameter.

CPENameOperatorVersion
localaieq2.6.1
localaieq2.8.1
localaieq1.1.0
localaieq2.6.0
localaieq2.0.0
localaieq1.20.1
localaieq1.13.0
localaieq2.12.0
localaieq1.18.0
localaieq2.8.2

Name	Operator	Version
localai	eq	2.6.1
localai	eq	2.8.1
localai	eq	1.1.0
localai	eq	2.6.0
localai	eq	2.0.0
localai	eq	1.20.1
localai	eq	1.13.0
localai	eq	2.12.0
localai	eq	1.18.0
localai	eq	2.8.2

Rows per page:

1-10 of 871

References

github.com/mudler/localai/commit/1a3dedece06cab1acc3332055d285ac540a47f0e

huntr.com/bounties/f7a87f29-c22a-48e8-9fce-b6d5a273e545

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

6.7 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

10.6%

JSON

Related for OSV:CVE-2024-5182