CVE-2024-28224

Published: Apr 8, 2024Modified: May 13, 2025

6.6

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

Exploitability: 1.8 / Impact: 4.7

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

Ollama before 0.1.29 has a DNS rebinding vulnerability that can inadvertently allow remote access to the full API, thereby letting an unauthorized user chat with a large language model, delete a model, or cause a denial of service (resource exhaustion).

Affected (1)

Products: Ollama: Ollama

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Ollama Ollama	Before 0.1.29

Related CWEs

Origin Validation Error

The product does not properly verify that the source of data or communication is valid.

References (6)

https://github.com/ollama/ollama/releases

Source: cve@mitre.org

Release Notes

https://research.nccgroup.com/2024/04/08/technical-advisory-ollama-dns-rebinding-attack-cve-2024-28224/

Source: cve@mitre.org

Not Applicable

https://www.nccgroup.trust/us/our-research/?research=Technical+advisories

Source: cve@mitre.org

Broken Link

https://github.com/ollama/ollama/releases

Source: af854a3a-2127-422b-91ae-364da2661108

Release Notes

https://research.nccgroup.com/2024/04/08/technical-advisory-ollama-dns-rebinding-attack-cve-2024-28224/

Source: af854a3a-2127-422b-91ae-364da2661108

Not Applicable

https://www.nccgroup.trust/us/our-research/?research=Technical+advisories

Source: af854a3a-2127-422b-91ae-364da2661108

Broken Link

Timeline

No history available yet.