Upstream information
Description
Cross-Domain Token Exposure in server.auth.getAuthorizationToken in Ollama 0.6.7 allows remote attackers to steal authentication tokens and bypass access controls via a malicious realm value in a WWW-Authenticate header returned by the /api/pull endpoint.SUSE information
Overall state of this security issue: Resolved
This issue is currently rated as having moderate severity.
CNA (CISA-ADP) | |
---|---|
Base Score | 6.9 |
Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N |
Attack Vector | Network |
Attack Complexity | High |
Privileges Required | None |
User Interaction | Required |
Scope | Changed |
Confidentiality Impact | High |
Integrity Impact | Low |
Availability Impact | None |
CVSSv3 Version | 3.1 |
List of released packages
Product(s) | Fixed package version(s) | References |
---|---|---|
openSUSE Tumbleweed |
| Patchnames: openSUSE-Tumbleweed-2025-15405 |
SUSE Timeline for this CVE
CVE page created: Tue Jul 22 22:00:20 2025CVE page last modified: Thu Aug 7 22:27:05 2025