Command Injection Vulnerability in mudler/localai 2.14.0
CVE-2024-5181

9.8CRITICAL

Key Information:

Vendor
Mudler
Status
Mudler/localai
Vendor
CVE Published:
26 June 2024

Badges

📰 News Worthy

Summary

A command injection vulnerability exists in Mudler's LocalAI version 2.14.0, stemming from inadequate handling of the backend parameter within its configuration file. This flaw permits an adversary to manipulate the path of the vulnerable binary specified in the backend parameter, paving the way for arbitrary code execution on the target system. By exploiting this vulnerability, attackers can gain potentially full control over affected systems, underscoring the critical need for prompt remediation and enhanced security measures.

Affected Version(s)

mudler/localai < 2.16.0

News Articles

favicon imageprophaze.com

CVE-2024-5181 : MUDLER LOCALAI UP TO 2.14.0 CONFIGURATION FILE BACKEND OS COMMAND INJECTION - Cloud WAF

CVE-2024-5181 : A command injection vulnerability exists in the mudler/localai version 2.14.0.

References

https://huntr.com/bounties/c6e3cb58-6fa4-4207-bb92-ae7644...
https://github.com/mudler/localai/commit/1a3dedece06cab1a...

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 📰

    First article discovered by prophaze.com

  • Vulnerability published

  • Vulnerability Reserved

.