CVE-2024-12886
7.5
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
An Out-Of-Memory (OOM) vulnerability exists in the ollama server version 0.3.14. This vulnerability can be triggered when a malicious API server responds with a gzip bomb HTTP response, leading to the ollama server crashing. The vulnerability is present in the makeRequestWithRetry and getAuthorizationToken functions, which use io.ReadAll to read the response body. This can result in excessive memory usage and a Denial of Service (DoS) condition.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| ollama | ollama/ollama | unspecified <= latest | affected |
Weaknesses
- CWE-409: CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.