Protect AI | Threat Research

Protect AI's August 2024 Vulnerability Report

Written by Dan McInerney & Marcello Salvati | Aug 15, 2024 7:00:00 AM

Executive Summary:

At Protect AI we are taking a proactive approach to identifying and addressing security risks in AI systems, to provide the world with critical intelligence on vulnerabilities and how to fix them. 

Protect AI’s huntr is the world's first AI/ML bug bounty program. Our community of 15,000+ members hunt for impactful vulnerabilities across the entire OSS AI/ML supply chain. Through our own research and the huntr community, we’ve found the tools used in the supply chain to build the machine learning models that power AI applications to be vulnerable to unique security threats. These tools are Open Source and downloaded thousands of times a month to build enterprise AI Systems. They also likely come out of the box with vulnerabilities that can lead directly to complete system takeovers such as unauthenticated remote code execution or local file inclusion. This report contains 20 vulnerabilities. You can find all the details of this month's vulnerabilities in the table below, or you can head over to protectai.com/sightline, to search the comprehensive database of all huntr findings, and download tools to detect, assess and remediate them within your organizations AI Supply chain. 

It is important to note that all vulnerabilities were reported to the maintainers a minimum of 45 days prior to publishing this report, and we continue to work with maintainers to ensure a timely fix prior to publication. The table also includes our recommendations for actions to take immediately, if you have these projects in production. If you need help mitigating these vulnerabilities in the meantime, please reach out, we’re here to help. community@protectai.com.

Remote Code Execution (RCE) in Setuptools

https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5

Impact: This vulnerability allows attackers to execute arbitrary code on the system using specially crafted package URLs.

The vulnerability in Setuptools arises from the way it handles package URLs, allowing for code injection. If an attacker can control the URL input, they can inject and execute arbitrary commands on the system. This can be exploited through various vectors, including setup configuration files, command-line arguments, and custom applications relying on Setuptools.

Authorization Bypass in Lunary

https://huntr.com/bounties/671bd040-1cc5-4227-8182-5904e9c5ed3b

Impact: Removed users can still access, modify, and delete organizational templates, leading to unauthorized data manipulation.

The vulnerability in Lunary allows users who have been removed from an organization to continue accessing and modifying templates using old authorization tokens. This occurs because the system does not invalidate tokens upon user removal, enabling unauthorized actions such as reading, creating, editing, and deleting templates.

Server-Side Request Forgery (SSRF) in Netaddr

https://huntr.com/bounties/dc4c3967-8951-40dc-94f1-46df7fb57060

Impact: This vulnerability can be exploited to bypass SSRF protections, potentially allowing access to internal networks.

The vulnerability in Netaddr involves the mishandling of IPv4-mapped IPv6 addresses. Functions like is_private, is_link_local, and is_loopback do not correctly identify these addresses, which can lead to SSRF attacks. Attackers can exploit this by using IPv4-mapped IPv6 addresses to bypass security checks and access internal resources.

CVE

Title

Severity

CVSS

Fixed

Recommendations

CVE-2024-0455

ssrf bug to steal aws metadata in anything-llm

Critical

9.9

Yes

Upgrade to latest version

CVE-2024-2952

Server-Side Template Injection in /completions endpoint in litellm

Critical

9.8

Yes

Upgrade to version 1.34.42

CVE-2024-3408

Authentication bypass and RCE in dtale

Critical

9.8

Yes

Upgrade to version 3.13.1

None

OS Command Injection in prune_by_memory_estimation in paddle

Critical

9.8

Yes

Upgrade to latest version

CVE-2024-0765

default/manager user can get all system database information like username,password,api_key etc. in anything-llm

Critical

9.6

Yes

Upgrade to latest version

CVE-2024-3279

Anonymous access to import endpoint leads to anythingllm.db deletion/spoofing in anything-llm

Critical

9.1

Yes

Upgrade to latest version

CVE-2024-1741

Member can read/create/modify/delete templates even after removed from organizations in lunary

Critical

9.1

Yes

Upgrade to version 1.2.8

CVE-2024-5980

Arbitrary File Write via /v1/runs API endpoint in pytorch-lightning

Critical

9.1

Yes

Upgrade to version 2.3.3

CVE-2024-6345

Remote code execution via download functions in the package_index module in setuptools

High

8.8

Yes

Upgrade to version 70.0

CVE-2024-0759

ssrf bug to access internal network in anything-llm

High

7.7

Yes

Upgrade to latest version

CVE-2024-1902

reuse of old session to change organization name in lunary

High

7.5

Yes

Upgrade to version 1.2.8

None

Bypass private/linklocal/loopback IP validation Method lead to SSRF in netaddr

High

7.5

Yes

Upgrade to version 0.10.0

CVE-2024-6281

Path Traversal in Settings in lollms

High

7.3

Yes

Upgrade to version 9.5.1

CVE-2024-0436

timing attack to guess the authtoken in anything-llm

High

7.1

Yes

Upgrade to latest version

CVE-2024-3278

Privilige escalation from manager to admin in anything-llm

High

7.1

Yes

Upgrade to latest version

CVE-2024-3135

Cross-Site Request Forgery On All API Calls Leads to Resource, Credit & Disk Space Exhaustion in localai

Medium

6.5

Yes

Upgrade to version 2.17

CVE-2024-3095

SSRF in Langchain Web Research Retriever in langchain

Medium

4.8

Yes

Upgrade to version 0.2.9

CVE-2024-2965

Denial-of-Service in LangChain SitemapLoader in langchain

Medium

4.2

Yes

Upgrade to version 0.2.5

None

Insecure Temporary File in setuptools

Medium

4.0

Yes

Upgrade to version 70.0.1

None

Unsafe Usage of tempfile.mktemp in clearml Code in clearml

Low

2.8

Yes

Upgrade to version 1.14.2