VDB
CVE-2024-28224
CVE-2024-28224
PUBLISHED
CVSS 6.599999904632568 MEDIUM
Ollama before 0.1.29 has a DNS rebinding vulnerability that can inadvertently allow remote access to the full API, thereby letting an unauthorized user chat with a large language model, delete a model, or cause a denial of service (resource exhaustion).
EPSS 0.19% · 40.9th percentile
Risk Scores
CVSS v3.1
6.599999904632568
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
EPSS Score
0.19%
40.9th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| github.com | ollama/ollama | 0 |
| n/a | n/a | * |
| ollama | ollama | 0 |
Timeline
- Apr 8, 2024 CVE Published
- Apr 9, 2024 EPSS Score
- May 4, 2024 EPSS Score
- May 29, 2024 EPSS Score
- Jun 23, 2024 EPSS Score
- Jul 19, 2024 EPSS Score
- Aug 13, 2024 EPSS Score
- Sep 7, 2024 EPSS Score
- Oct 2, 2024 EPSS Score
- Oct 4, 2024 Coalition ESS Score
- Oct 27, 2024 EPSS Score
- Nov 21, 2024 EPSS Score
References
- https://www.nccgroup.trust/us/our-research/?research=Technical+advisories url
- https://github.com/ollama/ollama/releases url
- https://research.nccgroup.com/2024/04/08/technical-advisory-ollama-dns-rebinding-attack-cve-2024-28224/ url
- https://nvd.nist.gov/vuln/detail/CVE-2024-28224 advisory
- https://github.com/ollama/ollama package
- https://pkg.go.dev/vuln/GO-2024-2699 url
- https://research.nccgroup.com/2024/04/08/technical-advisory-ollama-dns-rebinding-attack-cve-2024-28224 url