Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Command Injection in mudler/localai
Vulnerability Description
A command injection vulnerability exists in the `TranscriptEndpoint` of mudler/localai, specifically within the `audioToWav` function used for converting audio files to WAV format for transcription. The vulnerability arises due to the lack of sanitization of user-supplied filenames before passing them to ffmpeg via a shell command, allowing an attacker to execute arbitrary commands on the host system. Successful exploitation could lead to unauthorized access, data breaches, or other detrimental impacts, depending on the privileges of the process executing the code.
CVSS Information
N/A
Vulnerability Type
OS命令中使用的特殊元素转义处理不恰当(OS命令注入)
Vulnerability Title
localai 操作系统命令注入漏洞
Vulnerability Description
LocalAI是Ettore Di Giacinto个人开发者的一个免费的、开源的 OpenAI 替代方案。 localai存在操作系统命令注入漏洞,该漏洞源于在通过 shell 命令将用户提供的文件名传递给 ffmpeg 之前未对其进行清理,从而允许攻击者在主机系统上执行任意命令。
CVSS Information
N/A
Vulnerability Type
N/A