Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Arbitrary File Write in mudler/LocalAI
Vulnerability Description
mudler/LocalAI version 2.17.1 allows for arbitrary file write due to improper handling of automatic archive extraction. When model configurations specify additional files as archives (e.g., .tar), these archives are automatically extracted after downloading. This behavior can be exploited to perform a 'tarslip' attack, allowing files to be written to arbitrary locations on the server, bypassing checks that normally restrict files to the models directory. This vulnerability can lead to remote code execution (RCE) by overwriting backend assets used by the server.
CVSS Information
N/A
Vulnerability Type
在文件访问前对链接解析不恰当(链接跟随)
Vulnerability Title
LocalAI 安全漏洞
Vulnerability Description
LocalAI是Ettore Di Giacinto个人开发者的一个免费的、开源的 OpenAI 替代方案。 LocalAI 2.17.1版本存在安全漏洞,该漏洞源于对自动存档提取处理不当,允许任意文件写入,可能导致远程代码执行(RCE)。
CVSS Information
N/A
Vulnerability Type
N/A