CRITICAL🇵🇱 Wersja polska

CVE-2024-5182

CVSS 9.1v3.1pub. 2024-06-20upd. 2024-11-21

A path traversal vulnerability exists in mudler/localai version 2.14.0, where an attacker can exploit the `model` parameter during the model deletion process to delete arbitrary files. Specifically, by crafting a request with a manipulated `model` parameter, an attacker can traverse the directory structure and target files outside of the intended directory, leading to the deletion of sensitive data. This vulnerability is due to insufficient input validation and sanitization of the `model` parameter.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
  • Mudler Localai

    APP
    Mudler
    < 2.16.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Path Traversal
CWE
References

Related vulnerabilities

CVE-2024-6868CRITICAL9.8PL ✓ten sam produkt

Podatność tarslip w LocalAI umożliwiająca RCE przez arbitralny zapis pliku

CVE-2024-5181CRITICAL9.8PL ✓ten sam produkt

Command injection w LocalAI — pełne przejęcie systemu przez parametr backend

CVE-2024-2029CRITICAL9.8PL ✓ten sam produkt

Command injection w mudler/LocalAI — endpoint transkrypcji audio

CVE-2024-6983HIGH8.8ten sam produkt

mudler/localai version 2.17.1 is vulnerable to remote code execution. The vulnerability arises because the loc...

CVE-2024-9900MEDIUM6.1ten sam produkt

mudler/localai version v2.21.1 contains a Cross-Site Scripting (XSS) vulnerability in its search functionality...