Vulnerability Description
Ollama before 0.1.34 does not validate the format of the digest (sha256 with 64 hex digits) when getting the model path, and thus mishandles the TestGetBlobsPath test cases such as fewer than 64 hex digits, more than 64 hex digits, or an initial ../ substring.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ollama | Ollama | < 0.1.34 |
Related Weaknesses (CWE)
References
- https://github.com/ollama/ollama/blob/adeb40eaf29039b8964425f69a9315f9f1694ba8/sProduct
- https://github.com/ollama/ollama/compare/v0.1.33...v0.1.34Release Notes
- https://github.com/ollama/ollama/pull/4175Issue Tracking
- https://www.vicarius.io/vsociety/posts/probllama-in-ollama-a-tale-of-a-yet-anothExploitThird Party Advisory
- https://github.com/ollama/ollama/blob/adeb40eaf29039b8964425f69a9315f9f1694ba8/sProduct
- https://github.com/ollama/ollama/compare/v0.1.33...v0.1.34Release Notes
- https://github.com/ollama/ollama/pull/4175Issue Tracking
- https://www.vicarius.io/vsociety/posts/probllama-in-ollama-a-tale-of-a-yet-anothExploitThird Party Advisory
FAQ
What is CVE-2024-37032?
CVE-2024-37032 is a vulnerability with a CVSS score of 8.8 (HIGH). Ollama before 0.1.34 does not validate the format of the digest (sha256 with 64 hex digits) when getting the model path, and thus mishandles the TestGetBlobsPath test cases such as fewer than 64 hex d...
How severe is CVE-2024-37032?
CVE-2024-37032 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-37032?
Check the references section above for vendor advisories and patch information. Affected products include: Ollama Ollama.