Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2024-12886

Опубликовано: 20 мар. 2025
Источник: redhat
CVSS3: 7.5
EPSS Низкий

Описание

An Out-Of-Memory (OOM) vulnerability exists in the ollama server version 0.3.14. This vulnerability can be triggered when a malicious API server responds with a gzip bomb HTTP response, leading to the ollama server crashing. The vulnerability is present in the makeRequestWithRetry and getAuthorizationToken functions, which use io.ReadAll to read the response body. This can result in excessive memory usage and a Denial of Service (DoS) condition.

A flaw was found in Ollama. This vulnerability allows a denial of service (DoS) condition via excessive memory consumption when a malicious API server responds with a gzip bomb HTTP response. The makeRequestWithRetry and getAuthorizationToken functions use io.ReadAll to read the response body, which leads to out-of-memory crashes.

Отчет

Ansible LightSpeed does not use Ollama server. The library is included in the image just for local development or testing.

Меры по смягчению последствий

Implementing input validation to restrict the types of GZIP data accepted by the application would help to mitigate the risk of exploitation.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Ansible Automation Platform 2ansible-automation-platform-24/platform-resource-runner-rhel8Not affected
Red Hat Ansible Automation Platform 2ansible-automation-platform-25/lightspeed-rhel8Not affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-400
https://bugzilla.redhat.com/show_bug.cgi?id=2353630ollama: Out-Of-Memory (OOM) Vulnerability in ollama/ollama

EPSS

Процентиль: 35%
0.00144
Низкий

7.5 High

CVSS3

Связанные уязвимости

nvd логотип

CVE-2024-12886

CVSS3: 7.5
nvd
11 месяцев назад

An Out-Of-Memory (OOM) vulnerability exists in the `ollama` server version 0.3.14. This vulnerability can be triggered when a malicious API server responds with a gzip bomb HTTP response, leading to the `ollama` server crashing. The vulnerability is present in the `makeRequestWithRetry` and `getAuthorizationToken` functions, which use `io.ReadAll` to read the response body. This can result in excessive memory usage and a Denial of Service (DoS) condition.

debian логотип

CVE-2024-12886

CVSS3: 7.5
debian
11 месяцев назад

An Out-Of-Memory (OOM) vulnerability exists in the `ollama` server ver ...

github логотип

GHSA-v464-r2r9-www7

CVSS3: 7.5
github
11 месяцев назад

Ollama Vulnerable to Denial of Service (DoS) via Crafted GZIP

EPSS

Процентиль: 35%
0.00144
Низкий

7.5 High

CVSS3