A path traversal vulnerability exists in mudler/localai version 2.14.0, where an attacker can exploit the `model` parameter during the model deletion process to delete arbitrary files. Specifically, by crafting a request with a manipulated `model` parameter, an attacker can traverse the directory structure and target files outside of the intended directory, leading to the deletion of sensitive data. This vulnerability is due to insufficient input validation and sanitization of the `model` parameter.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:HMudler Localai
APPMudler< 2.16.0
Related vulnerabilities
Podatność tarslip w LocalAI umożliwiająca RCE przez arbitralny zapis pliku
Command injection w LocalAI — pełne przejęcie systemu przez parametr backend
Command injection w mudler/LocalAI — endpoint transkrypcji audio
mudler/localai version 2.17.1 is vulnerable to remote code execution. The vulnerability arises because the loc...
mudler/localai version v2.21.1 contains a Cross-Site Scripting (XSS) vulnerability in its search functionality...