Ollama Path Traversal Vulnerability in Tensor Model Transfer Handler

A critical path traversal vulnerability exists in Ollama versions through 0.20.2, specifically within the Tensor Model Transfer Handler component. The issue arises in the `digestToPath` function of the file `x/imagegen/transfer/transfer.go`, where the function fails to properly validate digest strings before using them to create file paths. This oversight allows remote attackers to manipulate the digest argument, leading to unauthorized file access on the server.

Impact

Exploitation of this vulnerability allows for arbitrary file read access on the host filesystem, including sensitive files such as SSH keys, credentials, and application secrets. The vulnerability also impacts the availability of the application by allowing the reading of any file accessible to the Ollama process.

Reproduction

The vulnerability can be reproduced by sending a crafted OCI manifest to an Ollama API endpoint that includes directory traversal sequences in the digest field. This can be done using a proof-of-concept script that automates the process of pulling a model with the malicious manifest, which then exfiltrates the contents of the traversed files.