CVE-2024-6868

EUVD-2024-47862

29.10.2024, 13:15

mudler/LocalAI version 2.17.1 allows for arbitrary file write due to improper handling of automatic archive extraction. When model configurations specify additional files as archives (e.g., .tar), these archives are automatically extracted after downloading. This behavior can be exploited to perform a 'tarslip' attack, allowing files to be written to arbitrary locations on the server, bypassing checks that normally restrict files to the models directory. This vulnerability can lead to remote code execution (RCE) by overwriting backend assets used by the server.

Link Following

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 65%

Affected Products (NVD)

Vendor	Product	Version
mudler	localai	2.17.1

𝑥

= Vulnerable software versions

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
mudler	localai	𝑥 < 2.18.1	ADP

Known Exploits!

https://huntr.com/bounties/752d2376-2d9a-4e17-b462-3c267f9dd229

Common Weakness Enumeration

CWE-59 - Improper Link Resolution Before File Access ('Link Following')
The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

References

https://github.com/mudler/localai/commit/a181dd0ebc5d3092fc50f61674d552604fe8ef9c

https://huntr.com/bounties/752d2376-2d9a-4e17-b462-3c267f9dd229