Vulnerability Description
A path traversal vulnerability exists in mudler/localai version 2.14.0, where an attacker can exploit the `model` parameter during the model deletion process to delete arbitrary files. Specifically, by crafting a request with a manipulated `model` parameter, an attacker can traverse the directory structure and target files outside of the intended directory, leading to the deletion of sensitive data. This vulnerability is due to insufficient input validation and sanitization of the `model` parameter.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mudler | Localai | < 2.16.0 |
Related Weaknesses (CWE)
References
- https://github.com/mudler/localai/commit/1a3dedece06cab1acc3332055d285ac540a47f0Patch
- https://huntr.com/bounties/f7a87f29-c22a-48e8-9fce-b6d5a273e545ExploitIssue TrackingPatch
- https://github.com/mudler/localai/commit/1a3dedece06cab1acc3332055d285ac540a47f0Patch
- https://huntr.com/bounties/f7a87f29-c22a-48e8-9fce-b6d5a273e545ExploitIssue TrackingPatch
FAQ
What is CVE-2024-5182?
CVE-2024-5182 is a vulnerability with a CVSS score of 9.1 (CRITICAL). A path traversal vulnerability exists in mudler/localai version 2.14.0, where an attacker can exploit the `model` parameter during the model deletion process to delete arbitrary files. Specifically, b...
How severe is CVE-2024-5182?
CVE-2024-5182 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2024-5182?
Check the references section above for vendor advisories and patch information. Affected products include: Mudler Localai.