High

localai

Arbitrary File Write via Automatic Archive Extraction

A vulnerability in version 2.17.1 of the software allows arbitrary file write by abusing automatic archive extraction. This issue was patched in version 2.18.1.

Available publicly on Sep 25 2024

8.1

CVE:

CVE-2024-6868

CWE:

20:Improper Input Validation

CVSS:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Credit:

ozelis
AssessDetect

Unavailable

Remediate
Remediation Steps
  • Update to version 2.18.1 or later.
  • Implement input validation to ensure that archives do not contain symlinks.
  • Modify the extraction process to restrict file writes to the intended directory.
  • Regularly audit and monitor file permissions and configurations to detect unauthorized changes.
Patch Details
  • Fixed Version: 2.18.1
  • Patch Commit: https://github.com/mudler/LocalAI/commit/a181dd0ebc5d3092fc50f61674d552604fe8ef9c
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.