Closed
Description
CVE-2024-37032 references github.com/ollama/ollama, which may be a Go module.
Description:
Ollama before 0.1.34 does not validate the format of the digest (sha256 with 64 hex digits) when getting the model path, and thus mishandles the TestGetBlobsPath test cases such as fewer than 64 hex digits, more than 64 hex digits, or an initial ../ substring.
References:
- NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-37032
- JSON: https://github.com/CVEProject/cvelist/tree/e076e9c24f3ede5a41143e706602e9c41139fd45/2024/37xxx/CVE-2024-37032.json
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-37032
- fix: validate the format of the digest when getting the model path ollama/ollama#4175
- web: https://github.com/ollama/ollama/blob/adeb40eaf29039b8964425f69a9315f9f1694ba8/server/modelpath_test.go#L41-L58
- web: ollama/ollama@v0.1.33...v0.1.34
- Imported by: https://pkg.go.dev/github.com/ollama/ollama?tab=importedby
Cross references:
No existing reports found with this module or alias.
See doc/triage.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/ollama/ollama
vulnerable_at: 0.1.42
packages:
- package: n/a
summary: CVE-2024-37032 in github.com/ollama/ollama
cves:
- CVE-2024-37032
references:
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-37032
- fix: https://github.com/ollama/ollama/pull/4175
- web: https://github.com/ollama/ollama/blob/adeb40eaf29039b8964425f69a9315f9f1694ba8/server/modelpath_test.go#L41-L58
- web: https://github.com/ollama/ollama/compare/v0.1.33...v0.1.34
source:
id: CVE-2024-37032
created: 2024-06-07T17:18:01.939985-04:00
review_status: UNREVIEWED