CVE-2024-39719

Name of the Vulnerable Software and Affected Versions Ollama versions 0.3.14 and earlier

Description The issue is related to the disclosure of system data to unauthorized individuals. It can be exploited by a remote attacker to cause a denial of service. The vulnerability allows file existence disclosure via the "api/create" endpoint. When the CreateModel route is called with a path parameter that does not exist, it reflects the "File does not exist" error message to the attacker, providing information about file existence on the server.

Recommendations For Ollama versions 0.3.14 and earlier, update to version 0.1.47 or later to protect against file disclosure risks. As a temporary workaround, consider restricting access to the "api/create" endpoint until a patch is available. Avoid using the CreateModel route with path parameters that do not exist to minimize the risk of exploitation.