CVE-2024-9309 — CRITICAL (9.3)

Vulnerability Description

A Server-Side Request Forgery (SSRF) vulnerability exists in the POST /worker_generate_stream API endpoint of the Controller API Server in haotian-liu/llava version v1.2.0 (LLaVA-1.6). This vulnerability allows attackers to exploit the victim Controller API Server's credentials to perform unauthorized web actions or access unauthorized web resources.

CVSS Score

9.3

CRITICAL

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Hliu	Llava	1.2.0

Related Weaknesses (CWE)

CWE-918

References

https://huntr.com/bounties/2ba6be79-5c90-48fa-99cb-82503ea49a12ExploitThird Party Advisory

FAQ

What is CVE-2024-9309?

CVE-2024-9309 is a vulnerability with a CVSS score of 9.3 (CRITICAL). A Server-Side Request Forgery (SSRF) vulnerability exists in the POST /worker_generate_stream API endpoint of the Controller API Server in haotian-liu/llava version v1.2.0 (LLaVA-1.6). This vulnerabil...

How severe is CVE-2024-9309?

CVE-2024-9309 has been rated CRITICAL with a CVSS base score of 9.3/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2024-9309?

Check the references section above for vendor advisories and patch information. Affected products include: Hliu Llava.