CVE-2024-8982

Name of the Vulnerable Software and Affected Versions OpenLLM version 0.6.10

Description A Local File Inclusion (LFI) flaw in OpenLLM allows attackers to include files from the local server through the web application, potentially exposing internal server files and sensitive information, such as configuration files, passwords, and critical data. Unauthorized access to critical server files, including configuration files, user credentials (/etc/passwd), and private keys, can compromise the system's security. Attackers could leverage the exposed information to further penetrate the network, exfiltrate data, or escalate privileges within the environment.

Recommendations For OpenLLM version 0.6.10, consider disabling the web application's file inclusion functionality until a patch is available to prevent attackers from including local server files. Restrict access to sensitive files and directories, such as configuration files, user credentials, and private keys, to minimize the risk of exploitation. Avoid using sensitive information in the web application until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.