CVE-2024-37032

Published May 31, 2024

Last updated 23 days ago

CVSS high 8.8

Overview

Description
Ollama before 0.1.34 does not validate the format of the digest (sha256 with 64 hex digits) when getting the model path, and thus mishandles the TestGetBlobsPath test cases such as fewer than 64 hex digits, more than 64 hex digits, or an initial ../ substring.
Source
cve@mitre.org
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
8.8
Impact score
5.9
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-22

Social media

Hype score
Not currently trending

  1. Threat Alert: Breaking the Chain: Wiz Uncovers a Signature Verification Bypass in Nuclei, the CVE-2024-43405 CVE-2024-37032 Severity: 🟡 Medium Maturity: 💢 Emerging Learn more: https://t.co/AS7I7AgI8k #CyberSecurity #ThreatIntel #InfoSec

    @fletch_ai

    4 Jan 2025

    17 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

References