{"data":{"id":"21091634-8bbc-453d-833d-35b411b5074b","title":"CVE-2024-45436: extractFromZipFile in model.go in Ollama before 0.1.47 can extract members of a ZIP archive outside of the parent direct","summary":"Ollama before version 0.1.47 has a vulnerability in its extractFromZipFile function where it can extract files from a ZIP archive outside of the intended parent directory, a weakness called path traversal (CWE-22, where an attacker manipulates file paths to access directories they shouldn't). This could allow an attacker to write files to unintended locations on a system when processing a specially crafted ZIP file.","solution":"Update Ollama to version 0.1.47 or later. The fix is available in the comparison between v0.1.46 and v0.1.47 (https://github.com/ollama/ollama/compare/v0.1.46...v0.1.47) and was implemented in pull request #5314 (https://github.com/ollama/ollama/pull/5314).","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2024-45436","publishedAt":"2024-08-29T07:15:05.460Z","cveId":"CVE-2024-45436","cweIds":["CWE-22","CWE-22"],"cvssScore":"7.5","cvssSeverity":"high","severity":"high","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":[],"affectedVendorsRaw":["Ollama"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.29079,"patchAvailable":null,"disclosureDate":null,"capecIds":["CAPEC-126"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality"],"aiComponentTargeted":"inference","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}