Moderate severityNVD Advisory· Published May 31, 2024· Updated Mar 27, 2025
CVE-2024-37032
CVE-2024-37032
Description
Ollama before 0.1.34 does not validate the format of the digest (sha256 with 64 hex digits) when getting the model path, and thus mishandles the TestGetBlobsPath test cases such as fewer than 64 hex digits, more than 64 hex digits, or an initial ../ substring.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/ollama/ollamaGo | < 0.1.34 | 0.1.34 |
Affected products
7- osv-coords6 versionspkg:apk/chainguard/ollamapkg:apk/chainguard/ollama-cpupkg:apk/wolfi/ollamapkg:apk/wolfi/ollama-cpupkg:golang/github.com/ollama/ollamapkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
< 0.1.44-r0+ 5 more
- (no CPE)range: < 0.1.44-r0
- (no CPE)range: < 0.1.44-r0
- (no CPE)range: < 0.1.44-r0
- (no CPE)range: < 0.1.44-r0
- (no CPE)range: < 0.1.34
- (no CPE)range: < 0.0.20241213T205935-1.1
Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-8hqg-whrw-pv92ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-37032ghsaADVISORY
- github.com/ollama/ollama/blob/adeb40eaf29039b8964425f69a9315f9f1694ba8/server/modelpath_test.goghsaWEB
- github.com/ollama/ollama/commit/2a21363bb756a7341d3d577f098583865bd7603fghsaWEB
- github.com/ollama/ollama/compare/v0.1.33...v0.1.34ghsaWEB
- github.com/ollama/ollama/pull/4175ghsaWEB
- pkg.go.dev/vuln/GO-2024-2901ghsaWEB
- www.vicarius.io/vsociety/posts/probllama-in-ollama-a-tale-of-a-yet-another-rce-vulnerability-cve-2024-37032ghsaWEB
News mentions
0No linked articles in our index yet.