CVE-2024-9309

Critical CVSS: 9.3

A Server-Side Request Forgery (SSRF) vulnerability exists in the POST /worker_generate_stream API endpoint of the Controller API Server in haotian-liu/llava version v1.2.0 (LLaVA-1.6). This vulnerability allows attackers to exploit the victim Controller API Server's credentials to perform unauthorized web actions or access unauthorized web resources.

Vendor

Hliu

Product

Llava

CWE

CWE-918

Yayın Tarihi

2025-03-20 10:15:47

Güncelleme

2025-07-15 15:46:20

Source Identifier

security@huntr.dev

KEV Date Added

Kategoriler

CWE-918 Llava CRITICAL Hliu 2025

Referanslar

https://huntr.com/bounties/2ba6be79-5c90-48fa-99cb-82503ea49a12

Benzer Kayıtlar

Medium

CVE-2024-9308

An open redirect vulnerability in haotian-liu/llava version v1.2.0 (LLaVA-1.6) allows a remote unauthenticated attacker…

Medium

CVE-2024-9311

A Cross-Site Request Forgery (CSRF) vulnerability in haotian-liu/llava v1.2.0 (LLaVA-1.6) allows an attacker to upload f…

High

CVE-2024-12068

A Server-Side Request Forgery (SSRF) vulnerability was discovered in haotian-liu/llava, affecting version git c121f04. T…

High

CVE-2024-12070

A Denial of Service (DoS) vulnerability exists in the file upload feature of haotian-liu/llava, specifically in Release…

High

CVE-2024-12065

A local file inclusion vulnerability exists in haotian-liu/llava at commit c121f04. This vulnerability allows an attacke…

High

CVE-2024-11449

A vulnerability in haotian-liu/llava version 1.2.0 (LLaVA-1.6) allows for Server-Side Request Forgery (SSRF) through the…