GHSA-wx43-g55g-2jf4
Suggest an improvement- Source
- https://github.com/advisories/GHSA-wx43-g55g-2jf4
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-wx43-g55g-2jf4/GHSA-wx43-g55g-2jf4.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-wx43-g55g-2jf4
- Aliases
- Published
- 2024-04-10T18:30:48Z
- Modified
- 2024-07-08T21:04:48Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- LocalAI Command Injection in audioToWav
- Details
-
A command injection vulnerability exists in the
TranscriptEndpointof mudler/localai, specifically within theaudioToWavfunction used for converting audio files to WAV format for transcription. The vulnerability arises due to the lack of sanitization of user-supplied filenames before passing them to ffmpeg via a shell command, allowing an attacker to execute arbitrary commands on the host system. Successful exploitation could lead to unauthorized access, data breaches, or other detrimental impacts, depending on the privileges of the process executing the code. - Database specific
{ "nvd_published_at": "2024-04-10T17:15:53Z", "cwe_ids": [ "CWE-78" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2024-04-10T22:16:45Z" }- References
Affected packages
Go / github.com/go-skynet/LocalAI
Package
- Name
- github.com/go-skynet/LocalAI
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/go-skynet/LocalAI