CVE-2024-7010

mudler/localai version 2.17.1 is vulnerable to a Timing Attack. This type of side-channel attack allows an attacker to compromise the cryptosystem by analyzing the time taken to execute cryptographic algorithms. Specifically, in the context of password handling, an attacker can determine valid login credentials based on the server's response time, potentially leading to unauthorized access.
Configurations

Configuration 1 (hide)

cpe:2.3:a:mudler:localai:2.17.1:*:*:*:*:*:*:*

History

14 Nov 2024, 14:15

Type Values Removed Values Added
CWE CWE-200

13 Nov 2024, 14:54

Type Values Removed Values Added
Summary
  • (es) La versión 2.17.1 de mudler/localai es vulnerable a un ataque de sincronización. Este tipo de ataque de canal lateral permite a un atacante comprometer el sistema criptográfico analizando el tiempo que lleva ejecutar algoritmos criptográficos. Específicamente, en el contexto del manejo de contraseñas, un atacante puede determinar credenciales de inicio de sesión válidas en función del tiempo de respuesta del servidor, lo que puede provocar un acceso no autorizado.
References () https://github.com/mudler/localai/commit/db1159b6511e8fa09e594f9db0fec6ab4e142468 - () https://github.com/mudler/localai/commit/db1159b6511e8fa09e594f9db0fec6ab4e142468 - Patch
References () https://huntr.com/bounties/e286ed00-6383-47de-b5bc-9b9fad67c362 - () https://huntr.com/bounties/e286ed00-6383-47de-b5bc-9b9fad67c362 - Exploit, Third Party Advisory
CVSS v2 : unknown
v3 : 7.5
v2 : unknown
v3 : 5.9
CWE CWE-203
CPE cpe:2.3:a:mudler:localai:2.17.1:*:*:*:*:*:*:*
First Time Mudler
Mudler localai

29 Oct 2024, 13:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-10-29 13:15

Updated : 2024-11-14 14:15


NVD link : CVE-2024-7010

Mitre link : CVE-2024-7010

CVE.ORG link : CVE-2024-7010


JSON object : View

Products Affected

mudler

  • localai
CWE
CWE-203

Observable Discrepancy