High Severity

localai

Path Traversal Vulnerability in Model Deletion Process

A path traversal vulnerability was identified in LocalAI versions 2.14.0, allowing attackers to delete arbitrary files by exploiting the `model` parameter during the model deletion process. This issue was patched in version 2.16.0.

Available publicly on Jun 19 2024

7.5

CVE:

CVE-2024-5182

CWE:

22:Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Credit:

mvlttt
AssessDetect

Unavailable

Remediate
Remediation Steps
  • Update to LocalAI version 2.16.0 or later.
  • Review and sanitize all user inputs, especially file paths, to prevent path traversal attacks.
  • Implement strict access controls and file permissions to limit the files accessible by the LocalAI server process.
  • Regularly audit and monitor server logs for unusual deletion requests or patterns that may indicate exploitation attempts.
Patch Details
  • Fixed Version: 2.16.0
  • Patch Commit: https://github.com/mudler/LocalAI/commit/1a3dedece06cab1acc3332055d285ac540a47f0e
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.

Sightline logo
About Protect AIPrivacy PolicyTerms of Service
© 2024 Protect AI, Inc.
Slack iconLinkedIn iconYoutube iconX icon