CVE-2024-6095

CVSS V2 None CVSS V3 None

Description

A vulnerability in the /models/apply endpoint of mudler/localai versions 2.15.0 allows for Server-Side Request Forgery (SSRF) and partial Local File Inclusion (LFI). The endpoint supports both http(s):// and file:// schemes, where the latter can lead to LFI. However, the output is limited due to the length of the error message. This vulnerability can be exploited by an attacker with network access to the LocalAI instance, potentially allowing unauthorized access to internal HTTP(s) servers and partial reading of local files. The issue is fixed in version 2.17.

Overview

CVE ID
CVE-2024-6095

Assigner
@huntr_ai

Vulnerability Status
PUBLISHED

Published Version
2024-07-06T17:48:46.735Z

Last Modified Date
2024-07-06T17:48:46.735Z

Weakness Enumerations

CWE	URL
CWE-918	http://cwe.mitre.org/data/definitions/918.html

References

Reference URL	Reference Tags
https://huntr.com/bounties/4799262d-72dc-43c8-bc99-81d0dce996dc
https://github.com/mudler/localai/commit/2fc6fe806b903ac0a70218b21b5c84443a1b0866

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-6095
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6095

History

Created	Old Value	New Value	Data Type	Notes
2024-07-07 13:03:36				Added to TrackCVE