Executive Summary

At Protect AI we are taking a proactive approach to identifying and addressing security risks in AI systems, to provide the world with critical intelligence on vulnerabilities and how to fix them. 

Protect AI’s huntr is the world's first AI/ML bug bounty program. Our community of 15,000+ members hunt for impactful vulnerabilities across the entire OSS AI/ML supply chain. Through our own research and the huntr community, we’ve found the tools used in the supply chain to build the machine learning models that power AI applications to be vulnerable to unique security threats. These tools are Open Source and downloaded thousands of times a month to build enterprise AI Systems. They also likely come out of the box with vulnerabilities that can lead directly to complete system takeovers such as unauthenticated remote code execution or local file inclusion. 

This report contains 20 vulnerabilities. You can find all the details of this month's vulnerabilities in the table below, or you can head over to protectai.com/sightline, to search the comprehensive database of all huntr findings, and download tools to detect, assess and remediate them within your organizations AI Supply chain. 

It is important to note that all vulnerabilities were reported to the maintainers prior to publishing this report, and we continue to work with maintainers to ensure a timely fix prior to publication. The table also includes our recommendations for actions to take immediately, if you have these projects in production. If you need help mitigating these vulnerabilities in the meantime, please reach out, we’re here to help. community@protectai.com.

Top Vulnerabilities

Remote Code Execution (RCE) in BerriAI/litellm

https://sightline.protectai.com/vulnerabilities/0c220d75-47ff-49cc-9253-965986487739

Impact: An attacker can execute arbitrary code on the server by injecting malicious environment variables. The vulnerability occurs in the litellm.get_secret() function, where untrusted data can be passed to the eval function without proper sanitization. This can be exploited by updating environment variables via the /config/update endpoint, allowing an attacker to inject malicious code.

Insecure Password Reset Token Handling in lunary-ai/lunary

https://sightline.protectai.com/vulnerabilities/60452e01-97fa-48f8-a09f-ea8b233a6c77

Impact: An attacker can reuse a password reset token to change the victim's password multiple times.

The vulnerability lies in the password reset functionality, where the token is not invalidated after the password is changed. This allows an attacker who has compromised the token to reuse it and change the password repeatedly.

Server-Side Request Forgery (SSRF) in gradio-app/gradio

https://sightline.protectai.com/vulnerabilities/e74b6a9b-9ddb-496a-8dfa-d374311209eb

Impact: An attacker can make unauthorized HTTP requests to internal services, potentially accessing sensitive information. The vulnerability is in the save_url_to_cache function, which does not properly validate the path parameter. This allows an attacker to supply a URL that the server will fetch, leading to SSRF.

 

Table

CVE

Title

Severity

CVSS

Fixed

Recommendations

CVE-2023-6016

Remote code execution via source POJO model import in h2o-3

Critical

10.0

Yes

Upgrade to version 3.46.0.1

CVE-2024-5386

Account Hijacking via Password Reset Token Leak

Critical

9.6

Yes

Upgrade to version 1.2.14

CVE-2023-6038

LFI in h2o-3 API in h2o-3

Critical

9.3

Yes

Upgrade to version 3.46.0.1

CVE-2024-5328

SSRF through backend endpoint auth api in lunary

High

8.6

Yes

Upgrade to version 1.4.9

CVE-2024-4151

IDOR- allow view/update any prompts in any projects in lunary

High

8.3

Yes

Upgrade to version 1.2.25

CVE-2024-4147

A user can delete prompts from other orgs in lunary

High

7.5

Yes

Upgrade to version 1.2.25

CVE-2024-4148

Redos (Regular Expression Denial of Service) in lunary

High

7.5

Yes

Upgrade to version 1.3.4

CVE-2024-6587

SSRF Exposes OpenAI API Keys in litellm

High

7.5

Yes

Upgrade to version 1.44.9

CVE-2024-5478

XSS in SAML metadata endpoint in lunary

High

7.4

Yes

Upgrade to version 1.4.9

CVE-2024-5714

A member can invite/change other users to someone else's project / can change other org's users to own/non-own projects in lunary

High

7.4

Yes

Upgrade to version 1.4.9

CVE-2024-6862

CSRF on endpoint for user signup in lunary

High

7.4

Yes

Upgrade to version 1.4.10

CVE-2024-4154

unprivileged user can rename a project in lunary

High

7.1

Yes

Upgrade to version 1.2.26

CVE-2024-6582

Broken access control in lunary

Medium

6.5

Yes

Upgrade to version 1.4.9

CVE-2024-5248

Prompt editor role has access to full list of Org users in lunary

Medium

6.5

Yes

Upgrade to version 1.4.9

CVE-2024-6087

Account takeover through the invite-functionality for newly registered users in lunary

Medium

6.5

Yes

Upgrade to version 1.4.9

CVE-2024-5389

A user can create/get/edit/delete prompt variations for datasets from other orgs in lunary

Medium

5.7

Yes

Upgrade to version 1.4.8

CVE-2024-5755

Creating account with same email in lunary

Medium

5.3

Yes

Upgrade to version 1.4.10

CVE-2024-6086

Any role can change Org's name in lunary

Medium

5.3

Yes

Upgrade to version 1.4.10

CVE-2024-5998

pickle deserialization vulnerability in langchain

Medium

5.2

Yes

Upgrade to version 0.2.9

CVE-2024-6867

Run info leak without valid authorization in lunary

Medium

4.3

Yes

Upgrade to version 1.4.10