Sightline

Critical

localai

Command Injection Vulnerability in Model Initialization

A command injection vulnerability was identified in LocalAI versions 2.14.0 through 2.15.9, allowing attackers to execute arbitrary code via the backend parameter in a configuration file. This issue was patched in version 2.16.0.

Available publicly on Jun 26 2024 | Available with Premium on Jun 03 2024

CVE:

CVE-2024-5181

CWE:

78:Improper Neutralization of Special Elements used in an OS Command

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Credit:

mvlttt

Assess Detect

Premium

Remediate

Remediation Steps

Update LocalAI to version 2.16.0 or later.
Review and sanitize all user inputs, especially those used in command execution contexts.
Implement strict input validation to prevent injection attacks.
Regularly audit and update dependencies and third-party libraries.

Patch Details

Fixed Version: 2.16.0
Patch Commit: https://github.com/mudler/LocalAI/commit/1a3dedece06cab1acc3332055d285ac540a47f0e

Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have 568- related security advisories that are available with Sightline Premium.