CVE-2024-2029
Last modified
CVE-2024-2029 is a vulnerability of currently unknown severity. A command injection vulnerability exists in the `TranscriptEndpoint` of mudler/localai, specifically within the `audioToWav` function used for converting audio files to WAV format for transcription. The vulnerability arises due to the lack of sanitization of user-supplied filenames before passing them to ffmpeg via a shell command, allowing an attacker to execute arbitrary commands on the host system. EPSS estimates a 2.88% chance of exploitation in the next 30 days.
Description
A command injection vulnerability exists in the `TranscriptEndpoint` of mudler/localai, specifically within the `audioToWav` function used for converting audio files to WAV format for transcription. The vulnerability arises due to the lack of sanitization of user-supplied filenames before passing them to ffmpeg via a shell command, allowing an attacker to execute arbitrary commands on the host system. Successful exploitation could lead to unauthorized access, data breaches, or other detrimental impacts, depending on the privileges of the process executing the code.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Mudler | Localai | < 2.10.0 |
References
- https://huntr.com/bounties/e092528a-ce3b-4e66-9b98-3f56d6b276b0Exploit, Third Party Advisory
- https://huntr.com/bounties/e092528a-ce3b-4e66-9b98-3f56d6b276b0Exploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2024-2029?
How severe is CVE-2024-2029?
How do I fix CVE-2024-2029?
Are you affected by CVE-2024-2029?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST