CVE-2024-5182

A path traversal vulnerability exists in mudler/localai version 2.14.0, where an attacker can exploit the `model` parameter during the model deletion process to delete arbitrary files. Specifically, by crafting a request with a manipulated `model` parameter, an attacker can traverse the directory structure and target files outside of the intended directory, leading to the deletion of sensitive data. This vulnerability is due to insufficient input validation and sanitization of the `model` parameter.

CVSS v3.0 9.1 CRITICAL

9.1^/10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://huntr.com/bounties/f7a87f29-c22a-48e8-9fce-b6d5a273e545	Exploit Issue Tracking Patch
https://github.com/mudler/localai/commit/1a3dedece06cab1acc3332055d285ac540a47f0e	Patch

Configurations

Configuration 1 (hide)

cpe:2.3:a:mudler:localai:*:*:*:*:*:*:*:*

History

27 Aug 2024, 17:30

Type	Values Removed	Values Added
References	~~() https://github.com/mudler/localai/commit/1a3dedece06cab1acc3332055d285ac540a47f0e -~~	() https://github.com/mudler/localai/commit/1a3dedece06cab1acc3332055d285ac540a47f0e - Patch
References	~~() https://huntr.com/bounties/f7a87f29-c22a-48e8-9fce-b6d5a273e545 -~~	() https://huntr.com/bounties/f7a87f29-c22a-48e8-9fce-b6d5a273e545 - Exploit, Issue Tracking, Patch
CPE		cpe:2.3:a:mudler:localai::::::::
First Time		Mudler Mudler localai
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.1

20 Jun 2024, 00:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-06-20 00:15

Updated : 2024-08-27 17:30

NVD link : CVE-2024-5182

Mitre link : CVE-2024-5182

JSON object : View

Products Affected

mudler

localai

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

9.1 /10