Sightline

High

localai

Remote Code Execution via Malicious Configuration File

A remote code execution vulnerability was discovered in version 2.17.1 of the software, allowing attackers to execute arbitrary code by uploading a malicious configuration file. This issue was patched in version 2.19.4.

Available publicly on Sep 27 2024 | Available with Premium on Aug 20 2024

CVE:

CVE-2024-6983

CWE:

94:Improper Control of Generation of Code

CVSS:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Credit:

mvlttt

Assess Detect

Unavailable

Remediate

Remediation Steps

Update to version 2.19.4 or later.
Ensure that configuration files are validated and sanitized before processing.
Implement strict access controls to limit who can upload configuration files.
Monitor network traffic for suspicious activity related to configuration file uploads.

Patch Details

Fixed Version: 2.19.4
Patch Commit: https://github.com/mudler/LocalAI/commit/d02a0f6f01d5c4a926a2d67190cb55d7aca23b66

Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have 644- related security advisories that are available with Sightline Premium.