Sightline

High

localai

Path Traversal Vulnerability in Model Deletion Process

A path traversal vulnerability was identified in LocalAI versions 2.14.0, allowing attackers to delete arbitrary files by exploiting the `model` parameter during the model deletion process. This issue was patched in version 2.16.0.

Available publicly on Jun 19 2024 | Available with Premium on Jun 03 2024

CVE:

CVE-2024-5182

CWE:

22:Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Credit:

mvlttt

Assess Detect

Unavailable

Remediate

Remediation Steps

Update to LocalAI version 2.16.0 or later.
Review and sanitize all user inputs, especially file paths, to prevent path traversal attacks.
Implement strict access controls and file permissions to limit the files accessible by the LocalAI server process.
Regularly audit and monitor server logs for unusual deletion requests or patterns that may indicate exploitation attempts.

Patch Details

Fixed Version: 2.16.0
Patch Commit: https://github.com/mudler/LocalAI/commit/1a3dedece06cab1acc3332055d285ac540a47f0e

Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have 574- related security advisories that are available with Sightline Premium.