CVE-2024-37032

Ollama before 0.1.34 does not validate the format of the digest (sha256 with 64 hex digits) when getting the model path, and thus mishandles the TestGetBlobsPath test cases such as fewer than 64 hex digits, more than 64 hex digits, or an initial ../ substring.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/ollama/ollama/blob/adeb40eaf29039b8964425f69a9315f9f1694ba8/server/modelpath_test.go#L41-L58	Product
https://github.com/ollama/ollama/compare/v0.1.33...v0.1.34	Release Notes
https://github.com/ollama/ollama/pull/4175	Issue Tracking
https://www.vicarius.io/vsociety/posts/probllama-in-ollama-a-tale-of-a-yet-another-rce-vulnerability-cve-2024-37032	Exploit Third Party Advisory
https://github.com/ollama/ollama/blob/adeb40eaf29039b8964425f69a9315f9f1694ba8/server/modelpath_test.go#L41-L58	Product
https://github.com/ollama/ollama/compare/v0.1.33...v0.1.34	Release Notes
https://github.com/ollama/ollama/pull/4175	Issue Tracking
https://www.vicarius.io/vsociety/posts/probllama-in-ollama-a-tale-of-a-yet-another-rce-vulnerability-cve-2024-37032	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:ollama:ollama:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-05-31 04:15

Updated : 2025-05-01 14:01

NVD link : CVE-2024-37032

Mitre link : CVE-2024-37032

CVE.ORG link : CVE-2024-37032

JSON object : View

Products Affected

ollama

ollama

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2024-37032", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2024-05-31T04:15:09.617", "references": [{"url": "https://github.com/ollama/ollama/blob/adeb40eaf29039b8964425f69a9315f9f1694ba8/server/modelpath_test.go#L41-L58", "tags": ["Product"], "source": "[email protected]"}, {"url": "https://github.com/ollama/ollama/compare/v0.1.33...v0.1.34", "tags": ["Release Notes"], "source": "[email protected]"}, {"url": "https://github.com/ollama/ollama/pull/4175", "tags": ["Issue Tracking"], "source": "[email protected]"}, {"url": "https://www.vicarius.io/vsociety/posts/probllama-in-ollama-a-tale-of-a-yet-another-rce-vulnerability-cve-2024-37032", "tags": ["Exploit", "Third Party Advisory"], "source": "[email protected]"}, {"url": "https://github.com/ollama/ollama/blob/adeb40eaf29039b8964425f69a9315f9f1694ba8/server/modelpath_test.go#L41-L58", "tags": ["Product"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/ollama/ollama/compare/v0.1.33...v0.1.34", "tags": ["Release Notes"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/ollama/ollama/pull/4175", "tags": ["Issue Tracking"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.vicarius.io/vsociety/posts/probllama-in-ollama-a-tale-of-a-yet-another-rce-vulnerability-cve-2024-37032", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "Ollama before 0.1.34 does not validate the format of the digest (sha256 with 64 hex digits) when getting the model path, and thus mishandles the TestGetBlobsPath test cases such as fewer than 64 hex digits, more than 64 hex digits, or an initial ../ substring."}, {"lang": "es", "value": "Ollama anterior a 0.1.34 no valida el formato del resumen (sha256 con 64 d\u00edgitos hexadecimales) al obtener la ruta del modelo y, por lo tanto, maneja mal los casos de prueba TestGetBlobsPath, como menos de 64 d\u00edgitos hexadecimales, m\u00e1s de 64 d\u00edgitos hexadecimales o una inicial. ../ subcadena."}], "lastModified": "2025-05-01T14:01:44.767", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ollama:ollama:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B6FFF9F3-E470-40F2-B950-615D4B263935", "versionEndExcluding": "0.1.34"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}