Protect AI | Threat Research

Protect AI's March 2024 Vulnerability Report

Written by Dan McInerney & Marcello Salvati | Mar 14, 2024 7:00:00 AM

Introduction

At Protect AI we are taking a proactive approach to identifying and addressing security risks in AI systems, to provide the world with critical intelligence on vulnerabilities and how to fix them. 

Protect AI’s huntr is the world's first AI/ML bug bounty program. Our community of 15,000+ members hunt for impactful vulnerabilities across the entire OSS AI/ML supply chain. Through our own research and the huntr community, we’ve found the tools used in the supply chain to build the machine learning models that power AI applications to be vulnerable to unique security threats. These tools are Open Source and downloaded thousands of times a month to build enterprise AI Systems. They also likely come out of the box with vulnerabilities that can lead directly to complete system takeovers such as unauthenticated remote code execution or local file inclusion. 

The list of vulnerabilities continues to grow, with 9 valid reports included in this publication. Below you will find a full list discovered by our community, with this month's most interesting ones being focused on anything-llm.

It is important to note that all vulnerabilities were reported to the maintainers a minimum of 45 days prior to publishing this report, and we continue to work with maintainers to ensure a timely fix prior to publication. The table also includes our recommendations for actions to take immediately, if you have these projects in production. If you need help mitigating these vulnerabilities in the meantime, please reach out, we’re here to help. community@protectai.com.

Server-Side Request Forgery (SSRF) in Mintplex-Labs/anything-llm

https://huntr.com/bounties/263fd7eb-f9a9-4578-9655-0e28c609272f/

Impact: Allows attackers to access internal network resources, local files, and potentially AWS metadata.

An attacker can exploit the lack of validation in the document submission link feature to include malicious links. This vulnerability enables access to internal network hosts, local files (including environment secrets), and AWS metadata endpoints if deployed on AWS.

Privilege Escalation in Mintplex-Labs/anything-llm

https://huntr.com/bounties/f69e3307-7b44-4776-ac60-2990990723ec/

Impact: Allows unauthorized creation of admin accounts by lower-privileged users.

The application fails to enforce role-based access controls on the server side, allowing users with manager privileges to create admin accounts through the API, bypassing UI restrictions.

Path Traversal in Mintplex-Labs/anything-llm

https://huntr.com/bounties/c6afeb5e-f211-4b3d-aa4b-6bad734217a6/

Impact: Enables attackers to download any file from the system.

The profile picture loading feature is vulnerable to path traversal, allowing attackers to manipulate the pfpFilenamevariable to download arbitrary files from the server. This can be exploited by users with manager or admin roles.

CVE

Title

Severity

CVSS

Fixed

Recommendations

CVE-2024-0440

SSRF - reading local files, env secrets, AWS metadata endpoint

Critical

9.6

Yes

Upgrade to latest version

CVE-2024-0550

Arbitrary file reading via path traversal in profile photo loading feature

Critical

9.6

Yes

Upgrade to latest version

CVE-2024-0435

xss bug in chat

High

8.1

Yes

Upgrade to latest version

CVE-2024-0763

Improper input validation leads to arbitrary folder deletion (recursively)

High

8.1

Yes

Upgrade to latest version

CVE-2024-0795

Improper acces control / admin account takeover

High

7.2

Yes

Upgrade to latest version

CVE-2024-0439

Improper privilege management between admin and manager roles

High

7.1

Yes

Upgrade to latest version

CVE-2024-0551

Unauthorized access to anythingllm.db database exports

High

7.1

Yes

Upgrade to latest version

CVE-2024-0243

Server-Side Request Forgery (SSRF)

Low

3.7

Yes

Upgrade to latest version

No CVE Assigned

Unsafe Usage of tempfile.mktemp in clearml Code

Low

2.8

Yes

Upgrade to latest version