CVE-2024-2029

CVSS V2 None CVSS V3 None

Description

A command injection vulnerability exists in the `TranscriptEndpoint` of mudler/localai, specifically within the `audioToWav` function used for converting audio files to WAV format for transcription. The vulnerability arises due to the lack of sanitization of user-supplied filenames before passing them to ffmpeg via a shell command, allowing an attacker to execute arbitrary commands on the host system. Successful exploitation could lead to unauthorized access, data breaches, or other detrimental impacts, depending on the privileges of the process executing the code.

Overview

CVE ID
CVE-2024-2029

Assigner
@huntr_ai

Vulnerability Status
PUBLISHED

Published Version
2024-04-10T17:08:05.727Z

Last Modified Date
2024-06-19T19:35:21.035Z

Weakness Enumerations

CWE	URL
CWE-78	http://cwe.mitre.org/data/definitions/78.html

References

Reference URL	Reference Tags
https://huntr.com/bounties/e092528a-ce3b-4e66-9b98-3f56d6b276b0
https://github.com/mudler/localai/commit/31a4c9c9d3abc58de2bdc5305419181c8b33eb1c

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-2029
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2029

History

Created	Old Value	New Value	Data Type	Notes
2024-06-25 23:37:13				Added to TrackCVE