Critical Severity

localai

Command Injection Vulnerability in Model Initialization

A command injection vulnerability was identified in LocalAI versions 2.14.0 through 2.15.9, allowing attackers to execute arbitrary code via the backend parameter in a configuration file. This issue was patched in version 2.16.0.

Available publicly on Jun 26 2024

9.8

CVE:

CVE-2024-5181

CWE:

78:Improper Neutralization of Special Elements used in an OS Command

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Credit:

mvlttt
AssessDetect

Premium

Remediate
Remediation Steps
  • Update LocalAI to version 2.16.0 or later.
  • Review and sanitize all user inputs, especially those used in command execution contexts.
  • Implement strict input validation to prevent injection attacks.
  • Regularly audit and update dependencies and third-party libraries.
Patch Details
  • Fixed Version: 2.16.0
  • Patch Commit: https://github.com/mudler/LocalAI/commit/1a3dedece06cab1acc3332055d285ac540a47f0e
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.

Sightline logo
About Protect AIPrivacy PolicyTerms of Service
© 2024 Protect AI, Inc.
Slack iconLinkedIn iconYoutube iconX icon