Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jcGN4LXIyZ3EteDg5M84AA9Nu
LocalAI path traversal vulnerability
A path traversal vulnerability exists in mudler/localai version 2.14.0, where an attacker can exploit the model parameter during the model deletion process to delete arbitrary files. Specifically, by crafting a request with a manipulated model parameter, an attacker can traverse the directory structure and target files outside of the intended directory, leading to the deletion of sensitive data. This vulnerability is due to insufficient input validation and sanitization of the model parameter.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jcGN4LXIyZ3EteDg5M84AA9Nu
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 4 months ago
Updated: 2 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-cpcx-r2gq-x893, CVE-2024-5182
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-5182
- https://github.com/mudler/localai/commit/1a3dedece06cab1acc3332055d285ac540a47f0e
- https://huntr.com/bounties/f7a87f29-c22a-48e8-9fce-b6d5a273e545
- https://github.com/advisories/GHSA-cpcx-r2gq-x893
Blast Radius: 0.0
Affected Packages
go:github.com/go-skynet/LocalAI
Dependent packages: 0Dependent repositories: 1
Downloads:
Affected Version Ranges: < 2.16.0
Fixed in: 2.16.0
All affected versions: 0.8.1, 0.9.1, 0.9.2, 0.10.0, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.4.0, 1.5.0, 1.5.1, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.7.0, 1.7.1, 1.8.0, 1.8.1, 1.9.0, 1.9.1, 1.10.0, 1.10.1, 1.11.0, 1.11.1, 1.12.0, 1.13.0, 1.14.0, 1.14.1, 1.14.2, 1.15.0, 1.16.0, 1.17.0, 1.17.1, 1.18.0, 1.19.0, 1.19.1, 1.19.2, 1.20.0, 1.20.1, 1.21.0, 1.22.0, 1.23.0, 1.23.1, 1.23.2, 1.24.1, 1.25.0, 1.30.0, 1.40.0
All unaffected versions: