Command Injection Vulnerability in mudler/localai 2.14.0
CVE-2024-5181

9.8CRITICAL

Key Information:

Vendor: Mudler
Status: Mudler/localai
Vendor: CVE Published:; 26 June 2024

Badges

📰 News Worthy

Summary

A command injection vulnerability exists in Mudler's LocalAI version 2.14.0, stemming from inadequate handling of the backend parameter within its configuration file. This flaw permits an adversary to manipulate the path of the vulnerable binary specified in the backend parameter, paving the way for arbitrary code execution on the target system. By exploiting this vulnerability, attackers can gain potentially full control over affected systems, underscoring the critical need for prompt remediation and enhanced security measures.

Affected Version(s)

mudler/localai < 2.16.0

News Articles

🔗prophaze.com

CVE-2024-5181

CVE-2024-5181 : MUDLER LOCALAI UP TO 2.14.0 CONFIGURATION FILE BACKEND OS COMMAND INJECTION - Cloud WAF

CVE-2024-5181 : A command injection vulnerability exists in the mudler/localai version 2.14.0.

8 months ago

References

https://huntr.com/bounties/c6e3cb58-6fa4-4207-bb92-ae7644...

https://github.com/mudler/localai/commit/1a3dedece06cab1a...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

📰
First article discovered by prophaze.com
Jun 26, 2024
Vulnerability published
Jun 26, 2024
Vulnerability Reserved
May 21, 2024

Key Information:

Badges

Summary

Affected Version(s)

Get notified when SecurityVulnerability.io launches alerting 🔔

News Articles

CVE-2024-5181 : MUDLER LOCALAI UP TO 2.14.0 CONFIGURATION FILE BACKEND OS COMMAND INJECTION - Cloud WAF

References

CVSS V3.1

Timeline