@blamejs/exceptd-skills 0.13.85 → 0.13.86

package/data/atlas-ttps.json

@@ -144,6 +144,7 @@
     "last_verified": "2026-05-19",
     "cve_refs": [
       "CVE-2023-43654",
+      "CVE-2024-37032",
       "CVE-2025-1550",
       "CVE-2025-8747",
       "CVE-2026-22778",
@@ -1704,6 +1705,8 @@
     "cve_refs": [
       "CVE-2023-43654",
       "CVE-2023-48022",
+      "CVE-2024-37032",
+      "CVE-2024-39722",
       "CVE-2024-42478",
       "CVE-2024-42479",
       "CVE-2025-64496",

package/data/attack-techniques.json

@@ -272,6 +272,7 @@
       "CVE-2022-1471",
       "CVE-2023-43654",
       "CVE-2023-48022",
+      "CVE-2024-37032",
       "CVE-2024-42479",
       "CVE-2024-50050",
       "CVE-2025-1094",
@@ -841,7 +842,9 @@
       "CVE-2024-12987",
       "CVE-2024-1709",
       "CVE-2024-21762",
+      "CVE-2024-37032",
       "CVE-2024-37079",
+      "CVE-2024-39722",
       "CVE-2024-42478",
       "CVE-2024-42479",
       "CVE-2024-43468",
@@ -3509,6 +3512,7 @@
     "stix_id": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
     "is_subtechnique": false,
     "cve_refs": [
+      "CVE-2024-39722",
       "CVE-2026-34926"
     ]
   },

package/data/cve-catalog.json

@@ -12557,6 +12557,215 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "SnakeYAML's default Constructor deserializes arbitrary types from untrusted YAML (CWE-502), enabling RCE; fixed in 2.0 (SafeConstructor default). The deserialization leg of the ShellTorch TorchServe chain."
   },
+  "CVE-2024-37032": {
+    "name": "Ollama Model Registry Path Traversal Arbitrary File Write RCE (Probllama)",
+    "type": "RCE",
+    "cvss_score": 8.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 8.8 (HIGH). Path traversal from insufficient validation of the SHA256 model-blob digest, enabling arbitrary file write and remote code execution.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Public exploit exists (a Metasploit module and standalone PoCs, e.g. github.com/jakabakos/CVE-2024-37032-Ollama-RCE): an attacker stands up a rogue registry whose manifest embeds a path-traversal digest, and an Ollama pull writes attacker content to an arbitrary path.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed by Wiz Research (Probllama). The abused surface is the model-pull path of the most widely used local LLM runtime.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; path traversal in the model-runtime API.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Ollama before 0.1.34.",
+    "affected_versions": [
+      "Ollama < 0.1.34"
+    ],
+    "vector": "Ollama does not validate that a model-blob digest is a 64-character hex SHA256, so a manifest from a rogue registry can embed path-traversal sequences in the digest. When Ollama pulls the model it writes attacker-controlled content to an arbitrary path (CWE-22), which can overwrite server files (e.g. a config or library) and achieve remote code execution. Disclosed by Wiz as Probllama; a public Metasploit module exists.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L. PR:L.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading Ollama to 0.1.34 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Ollama to 0.1.34 or later. Never expose the Ollama API (default port 11434) to untrusted networks, and only pull models from trusted registries."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track the local-LLM runtime as managed, network-exposed software.",
+      "NIST-800-53-SI-10": "Input-validation control is not applied to model-blob digests / API path parameters in the runtime.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the model-runtime API's path handling as an injection surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach the local-LLM runtime API as a privileged surface.",
+      "DORA-Art-9": "ICT protection measures do not model path traversal in an AI runtime API as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for validating paths/digests in the model-runtime API.",
+      "AU-ISM-1546": "Patch-application control does not single out local-LLM runtimes.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats the model-runtime API's path/digest handling as untrusted input; a rogue registry or crafted request reaches the filesystem."
+    },
+    "atlas_refs": [
+      "AML.T0049",
+      "AML.T0010"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1059"
+    ],
+    "rwep_score": 31,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 26,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 31, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at/after disclosure (Hard Rule #3). poc_available=20 + blast_radius=26 (Ollama is the most widely used local LLM runtime) minus patch 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-37032",
+    "cwe_refs": [
+      "CWE-22"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Ollama pulling a model from a non-default / untrusted registry whose manifest contains a blob digest that is not 64-hex (contains ../ or extra characters).",
+        "Ollama writing files outside its model blob store during a pull.",
+        "Ollama API (default port 11434) reachable from untrusted networks accepting model pulls.",
+        "Ollama < 0.1.34 — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from the Wiz Probllama research (https://www.wiz.io/blog/probllama-ollama-vulnerability-cve-2024-37032) and the public Metasploit module / PoC (github.com/jakabakos/CVE-2024-37032-Ollama-RCE), plus NVD CVE-2024-37032 (CWE-22)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-37032",
+      "https://www.wiz.io/blog/probllama-ollama-vulnerability-cve-2024-37032",
+      "https://www.wiz.io/blog/probllama-ollama-vulnerability-cve-2024-37032"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "Wiz Research (Probllama)",
+        "advisory_id": "CVE-2024-37032",
+        "url": "https://www.wiz.io/blog/probllama-ollama-vulnerability-cve-2024-37032",
+        "severity": "high",
+        "published_date": "2024-05-31"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-37032",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37032",
+        "severity": "high",
+        "published_date": "2024-05-31"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-22; NIST CVSS 8.8) + Wiz Probllama research + the ollama GitHub advisory. Member of the Ollama API path-traversal family.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Ollama fails to validate the model-blob digest, so a rogue registry's manifest triggers path-traversal arbitrary file write and RCE (Probllama); fixed in 0.1.34."
+  },
+  "CVE-2024-39722": {
+    "name": "Ollama api/push Path Traversal File-Existence Disclosure",
+    "type": "INFO-DISCLOSURE",
+    "cvss_score": 7.5,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
+    "cvss_note": "NVD CVSS v3.1 base 7.5 (HIGH). Path traversal on the api/push route discloses which files exist on the Ollama host.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in Oligo's 'More Models, More ProbLLMs' research and the GitHub advisory: a crafted api/push request with traversal sequences reveals file existence on the Ollama host.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed by Oligo Security ('More Models, More ProbLLMs'). The abused surface is the Ollama HTTP API.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; path traversal in the model-runtime API.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Ollama before 0.1.46 (fixed in 0.1.46).",
+    "affected_versions": [
+      "Ollama < 0.1.46"
+    ],
+    "vector": "Ollama's api/push route is vulnerable to path traversal (CWE-22): an unauthenticated request with traversal sequences reveals whether arbitrary paths exist on the server, a reconnaissance primitive that aids further exploitation. One of the Oligo 'More Models, More ProbLLMs' findings.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L. PR:N — unauthenticated.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading Ollama to 0.1.46 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Ollama to 0.1.46 or later and do not expose the Ollama API (default port 11434) to untrusted networks."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track the local-LLM runtime as managed, network-exposed software.",
+      "NIST-800-53-SI-10": "Input-validation control is not applied to model-blob digests / API path parameters in the runtime.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the model-runtime API's path handling as an injection surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach the local-LLM runtime API as a privileged surface.",
+      "DORA-Art-9": "ICT protection measures do not model path traversal in an AI runtime API as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for validating paths/digests in the model-runtime API.",
+      "AU-ISM-1546": "Patch-application control does not single out local-LLM runtimes.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats the model-runtime API's path/digest handling as untrusted input; a rogue registry or crafted request reaches the filesystem."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1083"
+    ],
+    "rwep_score": 27,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 22,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 27, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at/after disclosure (Hard Rule #3). poc_available=20 + blast_radius=22 (Ollama is the most widely used local LLM runtime) minus patch 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-39722",
+    "cwe_refs": [
+      "CWE-22"
+    ],
+    "iocs": {
+      "behavioral": [
+        "api/push requests to the Ollama API containing path-traversal sequences (../) in path parameters.",
+        "Probe patterns enumerating host file existence via the Ollama HTTP API from untrusted sources.",
+        "Ollama API (default port 11434) exposed to untrusted networks.",
+        "Ollama < 0.1.46 — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from the Oligo 'More Models, More ProbLLMs' research (https://www.oligo.security/blog/more-models-more-probllms), plus NVD CVE-2024-39722 (CWE-22)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-39722",
+      "https://www.oligo.security/blog/more-models-more-probllms",
+      "https://www.oligo.security/blog/more-models-more-probllms"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "Oligo Security (More Models, More ProbLLMs)",
+        "advisory_id": "CVE-2024-39722",
+        "url": "https://www.oligo.security/blog/more-models-more-probllms",
+        "severity": "high",
+        "published_date": "2024-10-31"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-39722",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39722",
+        "severity": "high",
+        "published_date": "2024-10-31"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-22; NIST CVSS 7.5) + Oligo 'More Models, More ProbLLMs' research + the ollama GitHub advisory. Member of the Ollama API path-traversal family.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Ollama's api/push route path traversal (CWE-22) lets an unauthenticated attacker disclose file existence on the host; fixed in 0.1.46."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",

package/data/cwe-catalog.json

@@ -96,6 +96,8 @@
       "CVE-2023-43472",
       "CVE-2024-0769",
       "CVE-2024-1708",
+      "CVE-2024-37032",
+      "CVE-2024-39722",
       "CVE-2024-57728",
       "CVE-2024-7399",
       "CVE-2025-2749",

package/data/framework-control-gaps.json

@@ -38,6 +38,8 @@
       "CVE-2023-43654",
       "CVE-2023-48022",
       "CVE-2024-0132",
+      "CVE-2024-37032",
+      "CVE-2024-39722",
       "CVE-2024-42478",
       "CVE-2024-42479",
       "CVE-2024-50050",
@@ -1373,7 +1375,9 @@
       "CVE-2024-21762",
       "CVE-2024-27199",
       "CVE-2024-27443",
+      "CVE-2024-37032",
       "CVE-2024-37079",
+      "CVE-2024-39722",
       "CVE-2024-42009",
       "CVE-2024-42478",
       "CVE-2024-42479",
@@ -1775,6 +1779,8 @@
       "CVE-2023-43654",
       "CVE-2023-48022",
       "CVE-2024-0132",
+      "CVE-2024-37032",
+      "CVE-2024-39722",
       "CVE-2024-42478",
       "CVE-2024-42479",
       "CVE-2024-50050",
@@ -2213,6 +2219,8 @@
     "status": "open",
     "opened_date": "2026-05-13",
     "evidence_cves": [
+      "CVE-2024-37032",
+      "CVE-2024-39722",
       "CVE-2024-50050",
       "CVE-2025-0133",
       "CVE-2025-1094",
@@ -2369,7 +2377,9 @@
       "CVE-2024-21762",
       "CVE-2024-27199",
       "CVE-2024-27443",
+      "CVE-2024-37032",
       "CVE-2024-37079",
+      "CVE-2024-39722",
       "CVE-2024-42009",
       "CVE-2024-42478",
       "CVE-2024-42479",
@@ -4848,6 +4858,8 @@
       "CVE-2023-48022",
       "CVE-2024-0132",
       "CVE-2024-21762",
+      "CVE-2024-37032",
+      "CVE-2024-39722",
       "CVE-2024-42478",
       "CVE-2024-42479",
       "CVE-2024-50050",
@@ -5371,6 +5383,8 @@
     "evidence_cves": [
       "CVE-2024-0132",
       "CVE-2024-21762",
+      "CVE-2024-37032",
+      "CVE-2024-39722",
       "CVE-2024-42478",
       "CVE-2024-42479",
       "CVE-2024-50050",
@@ -5437,6 +5451,8 @@
       "CVE-2023-48022",
       "CVE-2024-0132",
       "CVE-2024-21762",
+      "CVE-2024-37032",
+      "CVE-2024-39722",
       "CVE-2024-42478",
       "CVE-2024-42479",
       "CVE-2024-50050",

package/data/zeroday-lessons.json

@@ -7383,6 +7383,106 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2024-37032": {
+    "name": "Ollama Model Registry Path Traversal Arbitrary File Write RCE (Probllama)",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Ollama CWE-22 path traversal via unvalidated model-blob digest: an attacker reaching the Ollama HTTP API (default port 11434) manipulates a path/digest the runtime then uses against the filesystem, writing attacker content to an arbitrary path and achieving RCE.",
+      "privileges_required": "low / network (NVD PR:L) — reachable via the Ollama API + a rogue registry",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The abused surface is the model-pull / model API of the most widely used local LLM runtime. The lesson: the model-runtime API must validate digests and path parameters and must never be network-exposed to untrusted clients; pulling from untrusted registries is a supply-chain trust decision."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the local-LLM runtime as managed, network-exposed software."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Input validation is not applied to model-blob digests / API path parameters in the runtime."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats the model-runtime API's path/digest handling as untrusted input reaching the filesystem."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 72,
+      "basis": "Local-LLM runtimes are run on trusted-network assumptions and rarely tracked; model pulls from arbitrary registries are not gated.",
+      "theater_pattern": "ai_supply_chain_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-094",
+        "name": "AI-RUNTIME-API-PATH-TRAVERSAL-VALIDATION",
+        "description": "The model-runtime API must validate path-bearing inputs (model-blob digests must be exactly 64-hex SHA256; API route parameters must reject traversal sequences) before touching the filesystem, must not be exposed to untrusted networks (Ollama default port 11434), and must only pull models from trusted registries. Upgrade Ollama to 0.1.34 or later. The distinguishing test: point a staging Ollama at a rogue registry whose manifest carries a traversal digest, and send api/push requests with ../ sequences, and confirm both are rejected without filesystem access.",
+        "evidence": "https://www.wiz.io/blog/probllama-ollama-vulnerability-cve-2024-37032",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2024-39722": {
+    "name": "Ollama api/push Path Traversal File-Existence Disclosure",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Ollama CWE-22 path traversal on the api/push route: an attacker reaching the Ollama HTTP API (default port 11434) manipulates a path/digest the runtime then uses against the filesystem, disclosing which files exist on the host.",
+      "privileges_required": "none (NVD PR:N) — unauthenticated",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The abused surface is the model-pull / model API of the most widely used local LLM runtime. The lesson: the model-runtime API must validate digests and path parameters and must never be network-exposed to untrusted clients; pulling from untrusted registries is a supply-chain trust decision."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the local-LLM runtime as managed, network-exposed software."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Input validation is not applied to model-blob digests / API path parameters in the runtime."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats the model-runtime API's path/digest handling as untrusted input reaching the filesystem."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 68,
+      "basis": "Local-LLM runtimes are run on trusted-network assumptions and rarely tracked; model pulls from arbitrary registries are not gated.",
+      "theater_pattern": "ai_supply_chain_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-094",
+        "name": "AI-RUNTIME-API-PATH-TRAVERSAL-VALIDATION",
+        "description": "The model-runtime API must validate path-bearing inputs (model-blob digests must be exactly 64-hex SHA256; API route parameters must reject traversal sequences) before touching the filesystem, must not be exposed to untrusted networks (Ollama default port 11434), and must only pull models from trusted registries. Upgrade Ollama to 0.1.46 or later. The distinguishing test: point a staging Ollama at a rogue registry whose manifest carries a traversal digest, and send api/push requests with ../ sequences, and confirm both are rejected without filesystem access.",
+        "evidence": "https://www.oligo.security/blog/more-models-more-probllms",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2022-1471": {
     "name": "SnakeYAML Constructor Unsafe Deserialization RCE (ShellTorch chain)",
     "lesson_date": "2026-05-25",