Описание
A flaw has been found in Ollama up to 18.1. This issue affects some unknown processing of the file server/download.go of the component Model Pull API. Executing a manipulation can lead to server-side request forgery. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.
A flaw was found in Ollama. A remote attacker can exploit this vulnerability by manipulating the Model Pull API's server/download.go file. This can lead to Server-Side Request Forgery (SSRF), allowing the attacker to force the server to make requests to arbitrary network locations.
Отчет
Moderate. A Server-Side Request Forgery (SSRF) flaw in Ollama's Model Pull API allows a remote attacker to manipulate the API, compelling the server to initiate requests to arbitrary network locations. This could facilitate unauthorized access to internal network resources or enable other network-based attacks.
Меры по смягчению последствий
To reduce exposure, restrict network access to the Ollama service. Configure firewall rules to limit inbound connections to the port used by Ollama (e.g., 11434) to only trusted clients or networks. This can prevent remote attackers from exploiting the Server-Side Request Forgery vulnerability. Applying firewall rules may require a service reload or restart to take effect and could impact legitimate service functionality if not configured carefully.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/lightspeed-rhel8 | Fix deferred | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-25/lightspeed-rhel8 | Fix deferred | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-26/lightspeed-rhel9 | Fix deferred | ||
| Red Hat build of Debezium 3 | debezium-ai-embeddings-ollama | Fix deferred | ||
| Red Hat build of Debezium 3 | langchain4j-ollama | Fix deferred | ||
| Red Hat build of Debezium 3 | ollama | Fix deferred | ||
| Red Hat JBoss Enterprise Application Platform 8 | ollama | Fix deferred | ||
| Red Hat JBoss Enterprise Application Platform 8 | quarkus-langchain4j-ollama | Fix deferred | ||
| Red Hat JBoss Enterprise Application Platform Expansion Pack | ollama | Fix deferred | ||
| Red Hat JBoss Enterprise Application Platform Expansion Pack | quarkus-langchain4j-ollama | Fix deferred |
Показывать по
Дополнительная информация
Статус:
EPSS
6.3 Medium
CVSS3
Связанные уязвимости
A flaw has been found in Ollama up to 18.1. This issue affects some unknown processing of the file server/download.go of the component Model Pull API. Executing a manipulation can lead to server-side request forgery. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.
A flaw has been found in Ollama up to 18.1. This issue affects some un ...
A flaw has been found in Ollama up to 18.1. This issue affects some unknown processing of the file server/download.go of the component Model Pull API. Executing a manipulation can lead to server-side request forgery. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.
EPSS
6.3 Medium
CVSS3