CVE-2024-7010

MEDIUM

mudler/localai <2.17.1 - Info Disclosure

Title source: llm

Description

mudler/localai version 2.17.1 is vulnerable to a Timing Attack. This type of side-channel attack allows an attacker to compromise the cryptosystem by analyzing the time taken to execute cryptographic algorithms. Specifically, in the context of password handling, an attacker can determine valid login credentials based on the server's response time, potentially leading to unauthorized access.

References (2)

[Patch] https://github.com/mudler/localai/commit/db1159b6511e8fa09e594f9db0fec6ab4e142468

View Patch ZIP pw:eip

[Exploit, Third Party Advisory] https://huntr.com/bounties/e286ed00-6383-47de-b5bc-9b9fad67c362

Scores

CVSS v3 5.9

EPSS 0.0026

EPSS Percentile 49.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-208 CWE-203

Status published

Products (1)

mudler/localai 2.17.1

Published Oct 29, 2024

Tracked Since Feb 18, 2026