7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-45436

GHSA ID

GHSA-846m-99qv-67mg

EPSS Score

0.96266%

CWE

CWE-22

Published

8/29/2024

Updated

8/29/2024

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-45436

CVE-2024-45436: Ollama can extract members of a ZIP archive outside of the parent directory

extractFromZipFile in model.go in Ollama before 0.1.47 can extract members of a ZIP archive outside of the parent directory.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-45436

CVE-2024-45436:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-45436

GHSA ID

GHSA-846m-99qv-67mg

EPSS Score

0.96266%

CWE

CWE-22

Published

8/29/2024

Updated

8/29/2024

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/ollama/ollama	go	< 0.1.47	0.1.47

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the original implementation of extractFromZipFile which directly used zip.File.Name without path sanitization. The commit diff shows the addition of a path validation check using strings.HasPrefix(n, p) to prevent parent directory escapes. The CVE description specifically names this function, and the patch adds both the security check and corresponding test cases to validate() the fix. The vulnerable version joined user-controlled ZIP entry names with the target directory without normalization, enabling directory traversal attacks.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-45436: Ollama can extract members of a ZIP archive outside of the parent directory

CVE-2024-45436:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Technical Details

CVE-2024-45436: Ollama can extract members of a ZIP archive outside of the parent directory

7.5

7.5

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI