CVE-2024-5182 – github.com/go-skynet/localai

Package

Manager: go
Name: github.com/go-skynet/localai
Vulnerable Version: >=0 <2.16.0

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00502 pctl0.65002

Details

LocalAI path traversal vulnerability A path traversal vulnerability exists in mudler/localai version 2.14.0, where an attacker can exploit the `model` parameter during the model deletion process to delete arbitrary files. Specifically, by crafting a request with a manipulated `model` parameter, an attacker can traverse the directory structure and target files outside of the intended directory, leading to the deletion of sensitive data. This vulnerability is due to insufficient input validation and sanitization of the `model` parameter.

Metadata

Created: 2024-06-20T00:30:46Z
Modified: 2024-07-08T21:18:17Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-cpcx-r2gq-x893/GHSA-cpcx-r2gq-x893.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-cpcx-r2gq-x893
Finding: F063
Auto approve: 1