Cyber Resilience

CVE-2024-45436

High

Published: 29 August 2024

Published
29 August 2024
Modified
30 August 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.2908 96.7th percentile
Risk Priority 32 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-45436 is a high-severity Path Traversal (CWE-22) vulnerability in Ollama Ollama. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 3.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Ollama before version 0.1.47 contains a path traversal vulnerability in the extractFromZipFile function within model.go. The flaw, tracked as CWE-22, permits extraction of ZIP archive members outside the intended parent directory when processing model files, affecting any deployment that accepts untrusted archives over the network. The issue carries a CVSS 3.1 score of 7.5 with network attack vector, low complexity, and no required privileges or user interaction.

An unauthenticated remote attacker can supply a malicious ZIP archive to trigger arbitrary file writes on the server filesystem. Successful exploitation yields high confidentiality impact by allowing access to sensitive files outside the extraction directory while leaving integrity and availability unaffected.

The referenced GitHub pull request and version comparison show that the vulnerability is resolved in Ollama 0.1.47 by correcting the extraction logic to enforce directory boundaries. The EPSS score has remained near 0.29 with only minor fluctuation between its recorded peak and current value.

EU & UK References

Vulnerability details

extractFromZipFile in model.go in Ollama before 0.1.47 can extract members of a ZIP archive outside of the parent directory.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ollama
ollama
≤ 0.1.47

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References