At Protect AI we are taking a proactive approach to identifying and addressing security risks in AI systems, to provide the world with critical intelligence on vulnerabilities and how to fix them.
Protect AI’s huntr is the world's first AI/ML bug bounty program. Our community of 15,000+ members hunt for impactful vulnerabilities across the entire OSS AI/ML supply chain. Through our own research and the huntr community, we’ve found the tools used in the supply chain to build the machine learning models that power AI applications to be vulnerable to unique security threats. These tools are Open Source and downloaded thousands of times a month to build enterprise AI Systems. They also likely come out of the box with vulnerabilities that can lead directly to complete system takeovers such as unauthenticated remote code execution or local file inclusion. This report contains 31 vulnerabilities, including some critical vulnerabilities found in the Triton Inference Server and the Intel Neural Compressor. You can find all the details of all this month's vulnerabilities in the table below, or you can head over to protectai.com/sightline, to search the comprehensive database of huntr findings, and download tools to detect, assess and remediate them within your organizations AI Supply chain.
It is important to note that all vulnerabilities were reported to the maintainers a minimum of 45 days prior to publishing this report, and we continue to work with maintainers to ensure a timely fix prior to publication. The table also includes our recommendations for actions to take immediately, if you have these projects in production. If you need help mitigating these vulnerabilities in the meantime, please reach out, we’re here to help. community@protectai.com.
https://sightline.protectai.com/vulnerabilities/979e1aa6-534e-4478-9bc2-dee60a1971a8/assess
Impact: Allows attackers to inject arbitrary log entries, potentially hiding malicious activities or misleading investigations.
The Triton Inference Server is vulnerable to log injection due to insufficient sanitization of user input in log entries. Attackers can exploit this to forge logs, mislead investigations, or execute ANSI escape sequences that could harm the log viewer's system.
https://sightline.protectai.com/vulnerabilities/1d6ccb37-f83d-4726-ac7d-06f922792879/assess
Impact: Enables attackers to manipulate database entries and download arbitrary files from the host system.
The Neural Solution Server's task submission API is vulnerable to SQL injection, allowing attackers to alter database records and download files from the server without authorization. This compromises both the integrity of the database and the confidentiality of the server's files.
https://sightline.protectai.com/vulnerabilities/70f44145-9c74-4ee8-9934-034616e8fbcd/assess
Impact: Permits unauthorized read and write operations on memory, potentially leading to a crash or arbitrary code execution.
The Triton Inference Server improperly validates parameters for shared memory operations, allowing attackers to specify illegal memory offsets. This can lead to unauthorized memory access, causing segmentation faults or enabling arbitrary code execution through crafted requests.
CVE |
Title |
Severity |
CVSS |
Fixed |
Recommendations |
Critical |
10 |
Yes |
Upgrade to latest release |
||
CVE-2024-3234 |
LFI due to the use of outdated components in chuanhuchatgpt34 |
Critical |
9.8 |
Yes |
Upgrade to version 20240305 |
CVE-2024-3429 |
Critical |
9.8 |
Yes |
Upgrade to version 9.6 |
|
CVE-2024-3584 |
Path traversal in collection name leads to arbitrary file overwrite in qdrant |
Critical |
9.8 |
Yes |
Upgrade to version v1.9.0 |
Arbitrary file read and write during snapshot recovery in qdrant |
Critical |
9.8 |
Yes |
Upgrade to version v1.9.0 |
|
Critical |
9.8 |
Yes |
Upgrade to version 1.2.26 |
||
Critical |
9.6 |
Yes |
Upgrade to latest release |
||
Critical |
9.4 |
Yes |
Upgrade to version 1.2.25 |
||
Critical |
9.1 |
Yes |
Upgrade to version 1.2.8 |
||
lack of path sanitization for windows leads to LFI in lollms |
Critical |
9.1 |
Yes |
Upgrade to version 9.8 |
|
Critical |
9.1 |
Yes |
Upgrade to latest release |
||
Critical |
9.0 |
Yes |
Upgrade to version 24.04 |
||
High |
8.4 |
Yes |
Upgrade to version 9.5 |
||
Privilege Escalation Vulnerability to delete any datasets in lunary |
High |
8.2 |
Yes |
Upgrade to version 1.2.8 |
|
Default / manager user can escalate their privileges to Administrator in anything-llm |
High |
8.1 |
Yes |
Upgrade to latest release |
|
User with manager role is able to create new Administrator accounts in anything-llm |
High |
8.1 |
Yes |
Upgrade to latest release |
|
Improper access control-allow update org user to org owner in lunary |
High |
8.1 |
Yes |
Upgrade to version 1.2.7 |
|
High |
7.8 |
Yes |
Upgrade to version 0.27.0 |
||
Improper access control-allow update prompt that is deployed in lunary |
High |
7.6 |
Yes |
Upgrade to version 1.2.25 |
|
Authorization header leakage on same-domain but cross-origin redirect in scrapy |
High |
7.5 |
Yes |
Upgrade to version 2.11.2 |
|
High |
7.5 |
Yes |
Upgrade to version 1.2.8 |
||
High |
7.5 |
Yes |
Upgrade to version 1.2.25 |
||
High |
7.5 |
Yes |
Upgrade to version 4.31.4 |
||
Path traversal leads to read any file on the Windows platform system in lollms |
High |
7.5 |
Yes |
Upgrade to version 5.9.0 |
|
Medium |
5.5 |
Yes |
Upgrade to version 24.04 |
||
Medium |
5.4 |
Yes |
Upgrade to version 1.2.25 |
||
Unexpected Training Data Storage in sklearn.feature_extraction.text.TfidfVectorizer in scikit-learn |
Medium |
5.3 |
Yes |
Upgrade to version 1.5.0 |
|
Denial of service by assigning specific user id in anything-llm |
Medium |
4.9 |
Yes |
Upgrade to latest release |
|
User modification allows for data modification in anything-llm |
Medium |
4.9 |
Yes |
Upgrade to latest release |
|
Medium |
4.7 |
Yes |
Upgrade to latest release |
||
Medium |
4.3 |
Yes |
Upgrade to latest release |