CVE-2024-9309

Name of the Vulnerable Software and Affected Versions haotian-liu/llava version v1.2.0

Description A Server-Side Request Forgery (SSRF) issue exists in the "POST /worker generate stream" API endpoint of the Controller API Server. This allows attackers to exploit the server's credentials, performing unauthorized web actions or accessing unauthorized web resources.

Recommendations For version v1.2.0, consider disabling access to the "POST /worker generate stream" API endpoint until a patch is available. Restrict access to the vulnerable endpoint to minimize the risk of exploitation. Avoid using the worker generate stream function in the affected API endpoint until the issue is resolved.