Arbitrary File Deletion Vulnerability in mudler/localai 2.14.0
CVE-2024-5182
9.1CRITICAL
Summary
A significant path traversal vulnerability exists in Mudler's LocalAI version 2.14.0, allowing attackers to exploit the model parameter during the model deletion process. By crafting a specific request with a manipulated model parameter, an attacker can navigate the directory structure to target and delete files stored outside of the intended directory. This issue arises from a lack of proper input validation and sanitization on the model parameter, potentially leading to the loss of sensitive data and posing a considerable security risk.
References
CVSS V3.1
Score:
9.1
Severity:
CRITICAL
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published