{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-7010", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "state": "PUBLISHED", "assignerShortName": "@huntr_ai", "dateReserved": "2024-07-23T03:56:04.540Z", "datePublished": "2024-10-29T12:48:29.287Z", "dateUpdated": "2024-11-14T13:28:44.849Z"}, "containers": {"cna": {"title": "Timing Attack in mudler/localai", "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2024-11-14T13:28:44.849Z"}, "descriptions": [{"lang": "en", "value": "mudler/localai version 2.17.1 is vulnerable to a Timing Attack. This type of side-channel attack allows an attacker to compromise the cryptosystem by analyzing the time taken to execute cryptographic algorithms. Specifically, in the context of password handling, an attacker can determine valid login credentials based on the server's response time, potentially leading to unauthorized access."}], "affected": [{"vendor": "mudler", "product": "mudler/localai", "versions": [{"version": "unspecified", "lessThan": "2.21", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/e286ed00-6383-47de-b5bc-9b9fad67c362"}, {"url": "https://github.com/mudler/localai/commit/db1159b6511e8fa09e594f9db0fec6ab4e142468"}], "metrics": [{"cvssV3_0": {"version": "3.0", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-203 Observable Discrepancy", "cweId": "CWE-203"}]}], "source": {"advisory": "e286ed00-6383-47de-b5bc-9b9fad67c362", "discovery": "EXTERNAL"}}, "adp": [{"affected": [{"vendor": "mudler", "product": "localai", "cpes": ["cpe:2.3:a:mudler:localai:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "2.21", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-29T13:18:36.382204Z", "id": "CVE-2024-7010", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-29T13:30:36.920Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-7010", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-29T13:18:36.382204Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:mudler:localai:*:*:*:*:*:*:*:*"], "vendor": "mudler", "product": "localai", "versions": [{"status": "affected", "version": "0", "lessThan": "2.21", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-29T13:30:26.296Z"}}], "cna": {"title": "Timing Attack in mudler/localai", "source": {"advisory": "e286ed00-6383-47de-b5bc-9b9fad67c362", "discovery": "EXTERNAL"}, "metrics": [{"cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "mudler", "product": "mudler/localai", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "2.21", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/e286ed00-6383-47de-b5bc-9b9fad67c362"}, {"url": "https://github.com/mudler/localai/commit/db1159b6511e8fa09e594f9db0fec6ab4e142468"}], "descriptions": [{"lang": "en", "value": "mudler/localai version 2.17.1 is vulnerable to a Timing Attack. This type of side-channel attack allows an attacker to compromise the cryptosystem by analyzing the time taken to execute cryptographic algorithms. Specifically, in the context of password handling, an attacker can determine valid login credentials based on the server's response time, potentially leading to unauthorized access."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-203", "description": "CWE-203 Observable Discrepancy"}]}], "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2024-11-14T13:28:44.849Z"}}}, "cveMetadata": {"cveId": "CVE-2024-7010", "state": "PUBLISHED", "dateUpdated": "2024-11-14T13:28:44.849Z", "dateReserved": "2024-07-23T03:56:04.540Z", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "datePublished": "2024-10-29T12:48:29.287Z", "assignerShortName": "@huntr_ai"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mudler:localai:2.17.1:*:*:*:*:*:*:*", "matchCriteriaId": "CDCAF2D5-46FD-4D8E-B65B-9BE9FDD5D686", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "mudler/localai version 2.17.1 is vulnerable to a Timing Attack. This type of side-channel attack allows an attacker to compromise the cryptosystem by analyzing the time taken to execute cryptographic algorithms. Specifically, in the context of password handling, an attacker can determine valid login credentials based on the server's response time, potentially leading to unauthorized access."}, {"lang": "es", "value": " La versi\u00f3n 2.17.1 de mudler/localai es vulnerable a un ataque de sincronizaci\u00f3n. Este tipo de ataque de canal lateral permite a un atacante comprometer el sistema criptogr\u00e1fico analizando el tiempo que lleva ejecutar algoritmos criptogr\u00e1ficos. Espec\u00edficamente, en el contexto del manejo de contrase\u00f1as, un atacante puede determinar credenciales de inicio de sesi\u00f3n v\u00e1lidas en funci\u00f3n del tiempo de respuesta del servidor, lo que puede provocar un acceso no autorizado."}], "id": "CVE-2024-7010", "lastModified": "2024-11-14T14:15:19.160", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@huntr.dev", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-10-29T13:15:08.683", "references": [{"source": "security@huntr.dev", "tags": ["Patch"], "url": "https://github.com/mudler/localai/commit/db1159b6511e8fa09e594f9db0fec6ab4e142468"}, {"source": "security@huntr.dev", "tags": ["Exploit", "Third Party Advisory"], "url": "https://huntr.com/bounties/e286ed00-6383-47de-b5bc-9b9fad67c362"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-203"}], "source": "security@huntr.dev", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-203"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{}