CVE-2024-7010 (GCVE-0-2024-7010)
Vulnerability from cvelistv5 – Published: 2024-10-29 12:48 – Updated: 2025-10-15 12:50
VLAI?
Title
Timing Attack in mudler/localai
Summary
mudler/localai version 2.17.1 is vulnerable to a Timing Attack. This type of side-channel attack allows an attacker to compromise the cryptosystem by analyzing the time taken to execute cryptographic algorithms. Specifically, in the context of password handling, an attacker can determine valid login credentials based on the server's response time, potentially leading to unauthorized access.
Severity ?
7.5 (High)
CWE
- CWE-208 - Observable Timing Discrepancy
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| mudler | mudler/localai |
Affected:
unspecified , < 2.21
(custom)
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:mudler:localai:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "localai",
"vendor": "mudler",
"versions": [
{
"lessThan": "2.21",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7010",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-29T13:18:36.382204Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-29T13:30:36.920Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mudler/localai",
"vendor": "mudler",
"versions": [
{
"lessThan": "2.21",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "mudler/localai version 2.17.1 is vulnerable to a Timing Attack. This type of side-channel attack allows an attacker to compromise the cryptosystem by analyzing the time taken to execute cryptographic algorithms. Specifically, in the context of password handling, an attacker can determine valid login credentials based on the server\u0027s response time, potentially leading to unauthorized access."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208 Observable Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T12:50:35.354Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/e286ed00-6383-47de-b5bc-9b9fad67c362"
},
{
"url": "https://github.com/mudler/localai/commit/db1159b6511e8fa09e594f9db0fec6ab4e142468"
}
],
"source": {
"advisory": "e286ed00-6383-47de-b5bc-9b9fad67c362",
"discovery": "EXTERNAL"
},
"title": "Timing Attack in mudler/localai"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2024-7010",
"datePublished": "2024-10-29T12:48:29.287Z",
"dateReserved": "2024-07-23T03:56:04.540Z",
"dateUpdated": "2025-10-15T12:50:35.354Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:mudler:localai:2.17.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"CDCAF2D5-46FD-4D8E-B65B-9BE9FDD5D686\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"mudler/localai version 2.17.1 is vulnerable to a Timing Attack. This type of side-channel attack allows an attacker to compromise the cryptosystem by analyzing the time taken to execute cryptographic algorithms. Specifically, in the context of password handling, an attacker can determine valid login credentials based on the server\u0027s response time, potentially leading to unauthorized access.\"}, {\"lang\": \"es\", \"value\": \" La versi\\u00f3n 2.17.1 de mudler/localai es vulnerable a un ataque de sincronizaci\\u00f3n. Este tipo de ataque de canal lateral permite a un atacante comprometer el sistema criptogr\\u00e1fico analizando el tiempo que lleva ejecutar algoritmos criptogr\\u00e1ficos. Espec\\u00edficamente, en el contexto del manejo de contrase\\u00f1as, un atacante puede determinar credenciales de inicio de sesi\\u00f3n v\\u00e1lidas en funci\\u00f3n del tiempo de respuesta del servidor, lo que puede provocar un acceso no autorizado.\"}]",
"id": "CVE-2024-7010",
"lastModified": "2024-11-14T14:15:19.160",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 5.9, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 3.6}], \"cvssMetricV30\": [{\"source\": \"security@huntr.dev\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}]}",
"published": "2024-10-29T13:15:08.683",
"references": "[{\"url\": \"https://github.com/mudler/localai/commit/db1159b6511e8fa09e594f9db0fec6ab4e142468\", \"source\": \"security@huntr.dev\", \"tags\": [\"Patch\"]}, {\"url\": \"https://huntr.com/bounties/e286ed00-6383-47de-b5bc-9b9fad67c362\", \"source\": \"security@huntr.dev\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}]",
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"security@huntr.dev\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-203\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-203\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-7010\",\"sourceIdentifier\":\"security@huntr.dev\",\"published\":\"2024-10-29T13:15:08.683\",\"lastModified\":\"2025-10-15T13:15:50.737\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"mudler/localai version 2.17.1 is vulnerable to a Timing Attack. This type of side-channel attack allows an attacker to compromise the cryptosystem by analyzing the time taken to execute cryptographic algorithms. Specifically, in the context of password handling, an attacker can determine valid login credentials based on the server\u0027s response time, potentially leading to unauthorized access.\"},{\"lang\":\"es\",\"value\":\" La versi\u00f3n 2.17.1 de mudler/localai es vulnerable a un ataque de sincronizaci\u00f3n. Este tipo de ataque de canal lateral permite a un atacante comprometer el sistema criptogr\u00e1fico analizando el tiempo que lleva ejecutar algoritmos criptogr\u00e1ficos. Espec\u00edficamente, en el contexto del manejo de contrase\u00f1as, un atacante puede determinar credenciales de inicio de sesi\u00f3n v\u00e1lidas en funci\u00f3n del tiempo de respuesta del servidor, lo que puede provocar un acceso no autorizado.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":3.6}],\"cvssMetricV30\":[{\"source\":\"security@huntr.dev\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security@huntr.dev\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-208\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-203\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mudler:localai:2.17.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CDCAF2D5-46FD-4D8E-B65B-9BE9FDD5D686\"}]}]}],\"references\":[{\"url\":\"https://github.com/mudler/localai/commit/db1159b6511e8fa09e594f9db0fec6ab4e142468\",\"source\":\"security@huntr.dev\",\"tags\":[\"Patch\"]},{\"url\":\"https://huntr.com/bounties/e286ed00-6383-47de-b5bc-9b9fad67c362\",\"source\":\"security@huntr.dev\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-7010\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-29T13:18:36.382204Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:mudler:localai:*:*:*:*:*:*:*:*\"], \"vendor\": \"mudler\", \"product\": \"localai\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"2.21\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-29T13:30:26.296Z\"}}], \"cna\": {\"title\": \"Timing Attack in mudler/localai\", \"source\": {\"advisory\": \"e286ed00-6383-47de-b5bc-9b9fad67c362\", \"discovery\": \"EXTERNAL\"}, \"metrics\": [{\"cvssV3_0\": {\"scope\": \"UNCHANGED\", \"version\": \"3.0\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"mudler\", \"product\": \"mudler/localai\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"2.21\", \"versionType\": \"custom\"}]}], \"references\": [{\"url\": \"https://huntr.com/bounties/e286ed00-6383-47de-b5bc-9b9fad67c362\"}, {\"url\": \"https://github.com/mudler/localai/commit/db1159b6511e8fa09e594f9db0fec6ab4e142468\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"mudler/localai version 2.17.1 is vulnerable to a Timing Attack. This type of side-channel attack allows an attacker to compromise the cryptosystem by analyzing the time taken to execute cryptographic algorithms. Specifically, in the context of password handling, an attacker can determine valid login credentials based on the server\u0027s response time, potentially leading to unauthorized access.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-203\", \"description\": \"CWE-203 Observable Discrepancy\"}]}], \"providerMetadata\": {\"orgId\": \"c09c270a-b464-47c1-9133-acb35b22c19a\", \"shortName\": \"@huntr_ai\", \"dateUpdated\": \"2024-11-14T13:28:44.849Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-7010\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-14T13:28:44.849Z\", \"dateReserved\": \"2024-07-23T03:56:04.540Z\", \"assignerOrgId\": \"c09c270a-b464-47c1-9133-acb35b22c19a\", \"datePublished\": \"2024-10-29T12:48:29.287Z\", \"assignerShortName\": \"@huntr_ai\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…