Nixpkgs security tracker
6.3 MEDIUM
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): Low (L)
- Integrity (I): Low (L)
- Availability (A): Low (L)
- Exploit Code Maturity (E): Not Defined (X)
- Remediation Level (RL): Not Defined (X)
- Report Confidence (RC): Reasonable (R)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): Low (L)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): Low (L)
- Modified Availability (MA): Low (L)
Activity log
- Created suggestion
Ollama Model Pull API download.go server-side request forgery
A flaw has been found in Ollama up to 18.1. This issue affects some unknown processing of the file server/download.go of the component Model Pull API. Executing a manipulation can lead to server-side request forgery. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.
References
-
-
Submit #782107 | Ollama 18.1 and previous Server-Side Request Forgery third-party-advisory
Affected products
- ==18.1
- ==18.0
Matching in nixpkgs
pkgs.ollama
Get up and running with large language models locally
pkgs.gollama
Go manage your Ollama models
pkgs.ollama-cpu
Get up and running with large language models locally
pkgs.ollama-cuda
Get up and running with large language models locally, using CUDA for NVIDIA GPU acceleration
pkgs.ollama-rocm
Get up and running with large language models locally, using ROCm for AMD GPU acceleration
pkgs.ollama-vulkan
Get up and running with large language models locally, using Vulkan for generic GPU acceleration
pkgs.pkgsRocm.ollama
Get up and running with large language models locally, using ROCm for AMD GPU acceleration
pkgs.nextjs-ollama-llm-ui
Simple chat web interface for Ollama LLMs
pkgs.python312Packages.ollama
None
pkgs.python313Packages.ollama
Ollama Python library
pkgs.python314Packages.ollama
Ollama Python library
pkgs.python312Packages.llm-ollama
None
pkgs.python313Packages.llm-ollama
LLM plugin providing access to Ollama models using HTTP API
pkgs.python314Packages.llm-ollama
LLM plugin providing access to Ollama models using HTTP API
pkgs.haskellPackages.ollama-haskell
Haskell client for ollama
pkgs.gnomeExtensions.ollama-indicator
An indicator that let you run models with Ollama.
pkgs.python312Packages.langchain-ollama
None
pkgs.python313Packages.langchain-ollama
Integration package connecting Ollama and LangChain
pkgs.python314Packages.langchain-ollama
Integration package connecting Ollama and LangChain
pkgs.home-assistant-component-tests.ollama
None
pkgs.python313Packages.llama-index-llms-ollama
LlamaIndex LLMS Integration for ollama
pkgs.tests.home-assistant-component-tests.ollama
Open source home automation that puts local control and privacy first
pkgs.pkgsRocm.python3Packages.llama-index-llms-ollama
LlamaIndex LLMS Integration for ollama
Package maintainers
-
@honnip Jung seungwoo <me@honnip.page>
-
@genga898 Emmanuel Genga <genga898@gmail.com>
-
@malteneuss Malte Neuss
-
@prusnak Pavol Rusnak <pavol@rusnak.io>
-
@dit7ya Mostly Void <7rat13@gmail.com>
-
@sarahec Sarah Clark <seclark@nextquestion.net>
-
@Erethon Dionysis Grigoropoulos <dgrig@erethon.com>
-
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
-
@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>
-
@dotlambda ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_1FAEFB6177B4672DEE07F9D3AFC62588CCD2631EDCF22E8CCC1FB35B501C9C86 <nix@dotlambda.de>