CVE-2024-37032

Ollama before 0.1.34 does not validate the format of the digest (sha256 with 64 hex digits) when getting the model path, and thus mishandles the TestGetBlobsPath test cases such as fewer than 64 hex digits, more than 64 hex digits, or an initial ../ substring.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/ollama/ollama/blob/adeb40eaf29039b8964425f69a9315f9f1694ba8/server/modelpath_test.go#L41-L58
https://github.com/ollama/ollama/compare/v0.1.33...v0.1.34
https://github.com/ollama/ollama/pull/4175
https://www.vicarius.io/vsociety/posts/probllama-in-ollama-a-tale-of-a-yet-another-rce-vulnerability-cve-2024-37032
https://github.com/ollama/ollama/blob/adeb40eaf29039b8964425f69a9315f9f1694ba8/server/modelpath_test.go#L41-L58
https://github.com/ollama/ollama/compare/v0.1.33...v0.1.34
https://github.com/ollama/ollama/pull/4175
https://www.vicarius.io/vsociety/posts/probllama-in-ollama-a-tale-of-a-yet-another-rce-vulnerability-cve-2024-37032

Configurations

No configuration.

History

27 Mar 2025, 21:15

Type	Values Removed	Values Added
CWE		CWE-22
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.8

Information

Published : 2024-05-31 04:15

Updated : 2025-03-27 21:15

NVD link : CVE-2024-37032

Mitre link : CVE-2024-37032

CVE.ORG link : CVE-2024-37032

JSON object : View

Products Affected

No product.

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2024-37032", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2024-05-31T04:15:09.617", "references": [{"url": "https://github.com/ollama/ollama/blob/adeb40eaf29039b8964425f69a9315f9f1694ba8/server/modelpath_test.go#L41-L58", "source": "cve@mitre.org"}, {"url": "https://github.com/ollama/ollama/compare/v0.1.33...v0.1.34", "source": "cve@mitre.org"}, {"url": "https://github.com/ollama/ollama/pull/4175", "source": "cve@mitre.org"}, {"url": "https://www.vicarius.io/vsociety/posts/probllama-in-ollama-a-tale-of-a-yet-another-rce-vulnerability-cve-2024-37032", "source": "cve@mitre.org"}, {"url": "https://github.com/ollama/ollama/blob/adeb40eaf29039b8964425f69a9315f9f1694ba8/server/modelpath_test.go#L41-L58", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/ollama/ollama/compare/v0.1.33...v0.1.34", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/ollama/ollama/pull/4175", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.vicarius.io/vsociety/posts/probllama-in-ollama-a-tale-of-a-yet-another-rce-vulnerability-cve-2024-37032", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "Ollama before 0.1.34 does not validate the format of the digest (sha256 with 64 hex digits) when getting the model path, and thus mishandles the TestGetBlobsPath test cases such as fewer than 64 hex digits, more than 64 hex digits, or an initial ../ substring."}, {"lang": "es", "value": "Ollama anterior a 0.1.34 no valida el formato del resumen (sha256 con 64 d\u00edgitos hexadecimales) al obtener la ruta del modelo y, por lo tanto, maneja mal los casos de prueba TestGetBlobsPath, como menos de 64 d\u00edgitos hexadecimales, m\u00e1s de 64 d\u00edgitos hexadecimales o una inicial. ../ subcadena."}], "lastModified": "2025-03-27T21:15:49.287", "sourceIdentifier": "cve@mitre.org"}