CVE-2024-5182

Опубликовано: 20 июн. 2024

Источник: nvd

CVSS3: 7.5

CVSS3: 9.1

EPSS Низкий

Описание

A path traversal vulnerability exists in mudler/localai version 2.14.0, where an attacker can exploit the model parameter during the model deletion process to delete arbitrary files. Specifically, by crafting a request with a manipulated model parameter, an attacker can traverse the directory structure and target files outside of the intended directory, leading to the deletion of sensitive data. This vulnerability is due to insufficient input validation and sanitization of the model parameter.

Ссылки

https://github.com/mudler/localai/commit/1a3dedece06cab1acc3332055d285ac540a47f0e
Patch
https://huntr.com/bounties/f7a87f29-c22a-48e8-9fce-b6d5a273e545
Exploit
Issue Tracking
Patch
https://github.com/mudler/localai/commit/1a3dedece06cab1acc3332055d285ac540a47f0e
Patch
https://huntr.com/bounties/f7a87f29-c22a-48e8-9fce-b6d5a273e545
Exploit
Issue Tracking
Patch

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:mudler:localai:*:*:*:*:*:*:*:*

Версия до 2.16.0 (исключая)

EPSS

Процентиль: 85%

0.02492

Низкий

7.5 High

CVSS3

9.1 Critical

CVSS3

Дефекты

CWE-22

Связанные уязвимости

GHSA-cpcx-r2gq-x893

CVSS3: 7.5

github

больше 1 года назад

LocalAI path traversal vulnerability

EPSS

Процентиль: 85%

0.02492

Низкий

7.5 High

CVSS3

9.1 Critical

CVSS3

Дефекты

CWE-22