Endor Labs - Security Researcher - Exploit Intelligence Platform

CVE-2024-10821 NOMISEC HIGH STUB

InvokeAI v5.0.1 - Unauthenticated Denial of Service via Multipart Boundary Processing

A Denial of Service (DoS) vulnerability in the multipart request boundary processing mechanism of the Invoke-AI server (version v5.0.1) allows unauthenticated attackers to cause excessive resource consumption. The server fails to handle excessive characters appended to the end of multipart boundaries, leading to an infinite loop and a complete denial of service for all users. The affected endpoint is `/api/v1/images/upload`.

CVSS 7.5

View Code

CVE-2024-12886 NOMISEC HIGH STUB

ollama 0.3.14 - Denial of Service via Gzip Bomb HTTP Response

An Out-Of-Memory (OOM) vulnerability exists in the `ollama` server version 0.3.14. This vulnerability can be triggered when a malicious API server responds with a gzip bomb HTTP response, leading to the `ollama` server crashing. The vulnerability is present in the `makeRequestWithRetry` and `getAuthorizationToken` functions, which use `io.ReadAll` to read the response body. This can result in excessive memory usage and a Denial of Service (DoS) condition.

CVSS 7.5

View Code

CVE-2021-23797 NOMISEC HIGH STUB

http-server-node - Path Traversal via --path-as-is

All versions of package http-server-node are vulnerable to Directory Traversal via use of --path-as-is.

CVSS 7.5

View Code