cbcvebase.

Mudler Localai vulnerabilities

10 known vulnerabilities affecting mudler/mudler_localai.

Total CVEs
10
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL4HIGH1MEDIUM5

Vulnerabilities

Page 1 of 1
CVE-2024-5182P2CRITICALCVSS 9.1≥ unspecified, < 2.16.02024-06-20
CVE-2024-5182 [CRITICAL] CWE-22 CVE-2024-5182: A path traversal vulnerability exists in mudler/localai version 2.14.0, where an attacker can exploi A path traversal vulnerability exists in mudler/localai version 2.14.0, where an attacker can exploit the `model` parameter during the model deletion process to delete arbitrary files. Specifically, by crafting a request with a manipulated `model` parameter, an attacker can traverse the directory structure and target files outside of the intended dir
nvd
CVE-2024-2029P2CRITICALCVSS 9.8≥ unspecified, < v2.10.02024-04-10
CVE-2024-2029 [CRITICAL] CWE-78 CVE-2024-2029: A command injection vulnerability exists in the `TranscriptEndpoint` of mudler/localai, specifically A command injection vulnerability exists in the `TranscriptEndpoint` of mudler/localai, specifically within the `audioToWav` function used for converting audio files to WAV format for transcription. The vulnerability arises due to the lack of sanitization of user-supplied filenames before passing them to ffmpeg via a shell command, allowing an attack
nvd
CVE-2024-5181P2CRITICALCVSS 9.8≥ unspecified, < 2.16.02024-06-26
CVE-2024-5181 [CRITICAL] CWE-78 CVE-2024-5181: A command injection vulnerability exists in the mudler/localai version 2.14.0. The vulnerability ari A command injection vulnerability exists in the mudler/localai version 2.14.0. The vulnerability arises from the application's handling of the backend parameter in the configuration file, which is used in the name of the initialized process. An attacker can exploit this vulnerability by manipulating the path of the vulnerable binary file specified in
nvd
CVE-2024-6868P2CRITICALCVSS 9.8≥ unspecified, < 2.18.12024-10-29
CVE-2024-6868 [CRITICAL] CWE-59 CVE-2024-6868: mudler/LocalAI version 2.17.1 allows for arbitrary file write due to improper handling of automatic mudler/LocalAI version 2.17.1 allows for arbitrary file write due to improper handling of automatic archive extraction. When model configurations specify additional files as archives (e.g., .tar), these archives are automatically extracted after downloading. This behavior can be exploited to perform a 'tarslip' attack, allowing files to be written to
nvd
CVE-2024-6095P3MEDIUMCVSS 5.8PoC≥ unspecified, < 2.172024-07-06
CVE-2024-6095 [MEDIUM] CWE-918 CVE-2024-6095: A vulnerability in the /models/apply endpoint of mudler/localai versions 2.15.0 allows for Server-Si A vulnerability in the /models/apply endpoint of mudler/localai versions 2.15.0 allows for Server-Side Request Forgery (SSRF) and partial Local File Inclusion (LFI). The endpoint supports both http(s):// and file:// schemes, where the latter can lead to LFI. However, the output is limited due to the length of the error message. This vulnerability can
nvd
CVE-2024-6983P3HIGHCVSS 8.8≥ unspecified, < 2.19.42024-09-27
CVE-2024-6983 [HIGH] CWE-94 CVE-2024-6983: mudler/localai version 2.17.1 is vulnerable to remote code execution. The vulnerability arises becau mudler/localai version 2.17.1 is vulnerable to remote code execution. The vulnerability arises because the localai backend receives inputs not only from the configuration file but also from other inputs, allowing an attacker to upload a binary file and execute malicious code. This can lead to the attacker gaining full control over the system.
nvd
CVE-2024-7010P3MEDIUMCVSS 5.9≥ unspecified, < 2.212024-10-29
CVE-2024-7010 [MEDIUM] CWE-208 CVE-2024-7010: mudler/localai version 2.17.1 is vulnerable to a Timing Attack. This type of side-channel attack all mudler/localai version 2.17.1 is vulnerable to a Timing Attack. This type of side-channel attack allows an attacker to compromise the cryptosystem by analyzing the time taken to execute cryptographic algorithms. Specifically, in the context of password handling, an attacker can determine valid login credentials based on the server's response time, pot
nvd
CVE-2024-3135P4MEDIUMCVSS 6.5≥ unspecified, ≤ latest2024-04-01
CVE-2024-3135 [MEDIUM] CWE-352 CVE-2024-3135: A Cross-Site Request Forgery (CSRF) vulnerability exists in the mudler/localai application, allowing A Cross-Site Request Forgery (CSRF) vulnerability exists in the mudler/localai application, allowing attackers to craft malicious webpages that, when visited by a victim, perform unauthorized actions on the victim's local LocalAI instance without their consent. This vulnerability enables attackers to exhaust system resources, consume credits, and fill
nvd
CVE-2024-9900P4MEDIUMCVSS 6.1≥ unspecified, < 2.22.02025-03-20
CVE-2024-9900 [MEDIUM] CWE-79 CVE-2024-9900: mudler/localai version v2.21.1 contains a Cross-Site Scripting (XSS) vulnerability in its search fun mudler/localai version v2.21.1 contains a Cross-Site Scripting (XSS) vulnerability in its search functionality. The vulnerability arises due to improper sanitization of user input, allowing the injection and execution of arbitrary JavaScript code. This can lead to the execution of malicious scripts in the context of the victim's browser, potentially co
nvd
CVE-2024-5616P4MEDIUMCVSS 4.3≥ unspecified, < 2.172024-07-06
CVE-2024-5616 [MEDIUM] CWE-352 CVE-2024-5616: A Cross-Site Request Forgery (CSRF) vulnerability exists in mudler/LocalAI versions up to and includ A Cross-Site Request Forgery (CSRF) vulnerability exists in mudler/LocalAI versions up to and including 2.15.0, which allows attackers to trick victims into deleting installed models. By crafting a malicious HTML page, an attacker can cause the deletion of a model, such as 'gpt-4-vision-preview', without the victim's consent. The vulnerability is due
nvd
Mudler Localai vulnerabilities | cvebase