CVE-2024-5616

CVSS V2 None CVSS V3 None

Description

A Cross-Site Request Forgery (CSRF) vulnerability exists in mudler/LocalAI versions up to and including 2.15.0, which allows attackers to trick victims into deleting installed models. By crafting a malicious HTML page, an attacker can cause the deletion of a model, such as 'gpt-4-vision-preview', without the victim's consent. The vulnerability is due to insufficient CSRF protection mechanisms on the model deletion functionality.

Overview

CVE ID
CVE-2024-5616

Assigner
@huntr_ai

Vulnerability Status
PUBLISHED

Published Version
2024-07-06T08:38:02.339Z

Last Modified Date
2024-07-06T08:38:02.339Z

Weakness Enumerations

CWE	URL
CWE-352	http://cwe.mitre.org/data/definitions/352.html

References

Reference URL	Reference Tags
https://huntr.com/bounties/fd753fb6-ba04-4dd8-abef-918fb97120af
https://github.com/mudler/localai/commit/4e1463fec291612a59a16db60b3fd12d4c49d64b

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-5616
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5616

History

Created	Old Value	New Value	Data Type	Notes
2024-07-07 13:03:29				Added to TrackCVE