Ollama DNS Rebinding Vulnerability Allows Unauthorized Access to Full API
CVE-2024-28224

6.6MEDIUM

Key Information:

Vendor: Ollama
Status: Ollama
Vendor: CVE Published:; 8 April 2024

What is CVE-2024-28224?

Ollama before 0.1.29 has a DNS rebinding vulnerability that can inadvertently allow remote access to the full API, thereby letting an unauthorized user chat with a large language model, delete a model, or cause a denial of service (resource exhaustion).

References

https://www.nccgroup.trust/us/our-research/?research=Tech...

https://github.com/ollama/ollama/releases

https://research.nccgroup.com/2024/04/08/technical-adviso...

CVSS V3.1

Score:

6.6

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2024
Vulnerability Reserved
Mar 7, 2024