CVE-2024-7773

Name of the Vulnerable Software and Affected Versions ollama/ollama version 0.1.37

Description The issue is related to improper input validation in the handling of zip files, known as ZipSlip, which occurs in the parseFromZipFile function in server/model.go. This allows an attacker to write arbitrary files to the file system due to the code not checking for directory traversal sequences (../) in file names within the zip archive. The vulnerability can be exploited to create files such as /etc/ld.so.preload and a malicious shared library, leading to remote code execution (RCE).

Recommendations For ollama/ollama version 0.1.37, consider disabling the parseFromZipFile function until a patch is available to prevent exploitation. Restrict access to the server/model.go module to minimize the risk of exploitation. Avoid using zip files from untrusted sources until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.