Lucene search

GitHub_MVULNRICHMENT:CVE-2024-42479

HistoryAug 12, 2024 - 3:07 p.m.

CVE-2024-42479 llama.cpp allows write-what-where in rpc_server::set_tensor

2024-08-1215:07:19

CWE-123

GitHub_M

github.com

llama.cpp

vulnerability

b3561

rpc_server

set_tensor

rpc_tensor

data pointer

llm inference

c++

arbitrary address writing

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

6.9

Confidence

High

EPSS

0.001

Percentile

38.0%

SSVC

Exploitation

poc

Automatable

Technical Impact

total

JSON

llama.cpp provides LLM inference in C/C++. The unsafe data pointer member in the rpc_tensor structure can cause arbitrary address writing. This vulnerability is fixed in b3561.

CNA Affected

[
  {
    "vendor": "ggerganov",
    "product": "llama.cpp",
    "versions": [
      {
        "status": "affected",
        "version": "< b3561"
      }
    ]
  }
]

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:ggerganov:llama.cpp:*:*:*:*:*:*:*:*"
    ],
    "vendor": "ggerganov",
    "product": "llama.cpp",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "b3561",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unknown"
  }
]

References

github.com/ggerganov/llama.cpp/commit/b72942fac998672a79a1ae3c03b340f7e629980b

github.com/ggerganov/llama.cpp/security/advisories/GHSA-wcr5-566p-9cwj

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

6.9

Confidence

High

EPSS

0.001

Percentile

38.0%

SSVC

Exploitation

poc

Automatable

Technical Impact

total

JSON

Related for VULNRICHMENT:CVE-2024-42479