Detections
Analytics
Ollama < 0.1.34 Multiples Vulnerabilities
critical Web App Scanning Plugin ID 114579
Language:
Synopsis
Ollama < 0.1.34 Multiples VulnerabilitiesDescription
According to the self-reported version in its response header, the version of Ollama hosted on the remote web server is < 0.1.34. It is, therefore, affected by a Multiples vulnerabilities :- A Remote Code Execution through models pulling - An Improper Resource Shutdown or Release through the req.Path parameter which is user-controlled and can be set to /dev/random, which is blocking, causing the goroutine to run infinitely (even after the HTTP request is aborted by the client).
Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Upgrade to Ollama version 0.1.34 or later.See Also
Plugin Details
Severity: Critical
ID: 114579
Type: remote
Family: Component Vulnerability
Published: 1/28/2025
Updated: 1/28/2025
Scan Template: basic, full, pci, scan
Risk Information
VPR
Risk Factor: Low
Score: 3.6
CVSS v2
Risk Factor: High
Base Score: 7.5
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS Score Source: CVE-2024-37032
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score Source: CVE-2024-37032
Vulnerability Information
CPE: cpe:2.3:a:ollama:ollama:*:*:*:*:*:*:*:*
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 5/7/2024
Vulnerability Publication Date: 5/7/2024
Reference Information
CVE: CVE-2024-37032, CVE-2024-39721
OWASP: 2013-A9, 2017-A9, 2021-A6
WASC: Denial of Service
CAPEC: 540
DISA STIG: APSC-DV-002590, APSC-DV-002630
HIPAA: 164.306(a)(1), 164.306(a)(2)
ISO: 27001-A.12.6.1, 27001-A.14.2.5
NIST: sp800_53-CM-6b, sp800_53-SI-16
OWASP API: 2019-API7, 2023-API8
OWASP ASVS: 4.0.2-14.2.1