CVE-2024-11449

Name of the Vulnerable Software and Affected Versions haotian-liu/llava version 1.2.0

Description A vulnerability allows for Server-Side Request Forgery (SSRF) through the "/run/predict" endpoint. An attacker can gain unauthorized access to internal networks or the AWS metadata endpoint by sending crafted requests that exploit insufficient validation of the path parameter. This flaw can lead to unauthorized network access, sensitive data exposure, and further exploitation within the network.

Recommendations For haotian-liu/llava version 1.2.0, consider disabling access to the "/run/predict" endpoint until a patch is available. Restricting the use of the path parameter in this endpoint can also help minimize the risk of exploitation.