Lucene search

GoogleOSV:CVE-2024-5616

HistoryJul 06, 2024 - 9:15 a.m.

CVE-2024-5616

2024-07-0609:15:02

Google

osv.dev

csrf

mudler/localai

deletion vulnerability

insufficient protection

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

AI Score

6.8

Confidence

High

JSON

A Cross-Site Request Forgery (CSRF) vulnerability exists in mudler/LocalAI versions up to and including 2.15.0, which allows attackers to trick victims into deleting installed models. By crafting a malicious HTML page, an attacker can cause the deletion of a model, such as ‘gpt-4-vision-preview’, without the victim’s consent. The vulnerability is due to insufficient CSRF protection mechanisms on the model deletion functionality.

References

github.com/mudler/localai/commit/4e1463fec291612a59a16db60b3fd12d4c49d64b

huntr.com/bounties/fd753fb6-ba04-4dd8-abef-918fb97120af

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

AI Score

6.8

Confidence

High

JSON

Related for OSV:CVE-2024-5616