CVE-2024-37032
Ollama before 0.1.34 does not validate the format of the digest (sha256 with 64 hex digits) when getting the model path, and thus mishandles the...
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- May 31, 2024
- Published Date
- May 31, 2024
- Last Updated
- March 27, 2025
- Vendor
- Ollama
- Product
- Ollama
- Description
- Ollama before 0.1.34 does not validate the format of the digest (sha256 with 64 hex digits) when getting the model path, and thus mishandles the TestGetBlobsPath test cases such as fewer than 64 hex digits, more than 64 hex digits, or an initial ../ substring.
- Tags
- Score
- 91.60% (Percentile: 99.65%) as of 2025-06-12
- Exploitation
- none
- Technical Impact
- partial
- Exploited in the Wild
- Yes (2025-05-15 00:00:00 UTC) Source
CVSS Scores
CVSS v3.1
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score
SSVC Information
Exploit Status
References
Known Exploited Vulnerability Information
| Source | Added Date |
|---|---|
| The Shadowserver (via CIRCL) | 2025-05-15 00:00:00 UTC |
Scanner Integrations
| Scanner | URL | Date Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-37032.yaml | 2025-04-26 00:00:00 UTC |
| Nessus | https://www.tenable.com/plugins/nessus/200185 | 2024-06-07 14:43:00 UTC |
Potential Proof of Concepts
Warning: These PoCs have not been tested and could contain malware. Use at your own risk.
pankass/CVE-2024-37032_CVE-2024-45436
Type: github • Created: 2024-10-21 05:44:49 UTC • Stars: 4
Bi0x/CVE-2024-37032
Type: github • Created: 2024-06-26 03:11:29 UTC • Stars: 44
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Detected by Nessus
-
Detected by Nuclei
-
Added to KEVIntel