48 Vulnerabilities Uncovered In AI systems : Surge By 220%
Since the initial disclosure of 15 vulnerabilities in November 2023, a 220% increase in vulnerabilities impacting AI systems has been discovered, bringing the total to 48 vulnerabilities.
The world’s first AI/ML bug bounty program, Protect AI, analyzes the whole OSS AI/ML supply chain for significant vulnerabilities.
The experts discovered that specific security risks may be exploited against the supply chain tools that are used to create the machine learning models that drive AI applications.
Thousands of times a month, these open-source tools are downloaded to develop enterprise artificial intelligence systems.
The analysis highlights Remote Code Execution (RCE) as a widespread vulnerability that enables an attacker to execute commands or programs on a victim’s computer or server without requiring physical access.
The compromised system could be fully taken over by the attacker, resulting in data breaches.
Significant Vulnerabilities In AI Systems
Remote Code Execution In PyTorch Serve:
An attacker can use this vulnerability to run arbitrary code to compromise the server hosting PyTorch Serve.
With a CVSS base score of 9.8, this vulnerability is categorized as a critical severity, and CVE is unavailable as per the maintainer’s request.
If PyTorch Serve were exposed to the network, a remote user uploading a model containing malicious code might attack it.
When the model is deployed, this code is run, which could result in remote code execution on the server.
Insecure Deserialization In BentoML
With a CVSS base score of 9.8, this vulnerability is categorized as a critical severity and is tracked as CVE-2024-2912.
This vulnerability allows remote attackers to execute arbitrary code on the server.
An unsafe deserialization vulnerability exists in BentoML. An attacker can run any code on the server hosting the BentoML application by sending a specially crafted request.
It is recommended that you upgrade to version 1.2.5.
Regular Expression Denial Of Service (ReDoS) In FastAPI
With a High severity level and a CVSS base score of 7.5, the bug is tracked as CVE-2024-24762.
A denial of service attack may result from this vulnerability, making the server unresponsive.
FastAPI is susceptible to a ReDoS attack when parsing Form data in certain scenarios. By fully using the CPU, this vulnerability can be used to render the server unresponsive.
Server-Side Template Injection In BerriAI/Litellm
Attackers may use this vulnerability to permit the server to execute illegal commands.
In BerriAI’s litellm project, the hf_chat_template method uses the Jinja template engine to process user input without properly sanitizing it. On the server, this can be used to run arbitrary commands.
It is recommended to upgrade to version 0.109.1
The Complete List Of Vulnerabilities In AI Systems
| CVE | Title | Severity | CVSS | Fixed | Recommendations | ||||||
| CVE-2024-3025 | Arbitrary file deletion / reading via path traversal in logo photo upload and download feature in anything-llm | Critical | 9.9 | Yes | Upgrade to version 1.0.0 | ||||||
| CVE-2024-2083 | Directory Traversal in /api/v1/steps in zenml | Critical | 9.9 | Yes | Upgrade to version 0.55.5 | ||||||
| N/A per maintainer request | Remote Code Execution due to Full Controlled File Write in pytorch/serve | Critical | 9.8 | Yes | Read security documentation for secure deployment. | ||||||
| CVE-2024-2912 | RCE By Sending A Single POST Request Via Insecure Deserialization in bentoml | Critical | 9.8 | Yes | Upgrade to version 1.2.5 | ||||||
| CVE-2024-3098 | Prompt Injection leading to Arbitrary Code Execution in llama_index | Critical | 9.8 | Yes | Upgrade to version 0.10.24 | ||||||
| CVE-2024-2221 | Remote Code Execution via Arbitrary File Overwrite Using Path Traversal in qdrant | Critical | 9.8 | Yes | Upgrade to version 1.8.0 | ||||||
| CVE-2024-1520 | OS Command Injection in lollms-webui | Critical | 9.8 | Yes | Upgrade to version 9.1 | ||||||
| CVE-2024-2029 | Command injection in audioToWav in mudler/localai in localai | Critical | 9.8 | Yes | Upgrade to version 2.10.0 | ||||||
| CVE-2024-3271 | safe_eval bypass lead to RCE (Command Injection) in llama_index | Critical | 9.8 | Yes | Upgrade to version 10.26 | ||||||
| CVE-2024-1600 | Local File Inclusion in lollms-webui | Critical | 9.3 | Yes | Upgrade to version 9.5 | ||||||
| CVE-2024-3573 | Local File Read (LFI) due to scheme confusion in mlflow | Critical | 9.3 | Yes | Upgrade to version 2.10.0 | ||||||
| CVE-2024-1643 | join any organization and read/modify all data in lunary | Critical | 9.1 | Yes | Upgrade to version 1.2.2 | ||||||
| CVE-2024-1740 | removed user from a org can read/create/modify/delete logs in lunary | Critical | 9.1 | Yes | Upgrade to version 1.2.7 | ||||||
| CVE-2024-1626 | idor bug to change any org project in lunary | Critical | 9.1 | Yes | Upgrade to version 1.0.0 | ||||||
| CVE-2024-0404 | Mass assignment in account creation from invitation in anything-llm | Critical | 9.1 | Yes | Upgrade to version 1.0.0 | ||||||
| CVE-2024-3029 | Deactivate Multi-User Mode and Delete All Users in anything-llm | Critical | 9.0 | Yes | Upgrade to version 1.0.0 | ||||||
| CVE-2024-1522 | Remote Code Execution Via Cross-Site Request Forgery in lollms-webui | High | 8.8 | Yes | Upgrade to version 9.2 | ||||||
| CVE-2024-1540 | [gradio-app/gradio] Secrets exfiltration via the [deploy+test-visual.yml] workflow in gradio | High | 8.6 | Yes | Upgrade to commit d56bb28df80d8db1f33e4acf4f6b2c4f87cb8b28 | ||||||
| CVE-2024-1646 | Insufficient protection over sensitive endpoints in lollms-webui | High | 8.2 | Yes | Upgrade to version 9.3 | ||||||
| CVE-2024-25723 | Improper Access Control leads to Account Takeover/Privilege Escalation in zenml | High | 8.1 | Yes | Upgrade to version 0.56.2 | ||||||
| CVE-2024-0798 | privilege escalation bug to delete the uploaded document in anything-llm | High | 8.1 | Yes | Upgrade to version 1.0.0 | ||||||
| CVE-2024-0549 | Path traversal leads to anythingllm.db deletion in anything-llm | High | 8.1 | Yes | Upgrade to version 1.0.0 | ||||||
| CVE-2024-24762 | Content-Type Header ReDoS in fastapi | High | 7.5 | Yes | Upgrade to version 0.109.1 | ||||||
| CVE-2024-3569 | DOS attack in Just me mode in anything-llm | High | 7.5 | Yes | Upgrade to version 1.0.0 | ||||||
| CVE-2024-1625 | idor bug to delete any org project in lunary | High | 7.5 | Yes | Upgrade to version 1.0.1 | ||||||
| CVE-2024-1728 | Local File Inclusion in gradio | High | 7.5 | Yes | Upgrade to version 4.19.2 | ||||||
| CVE-2024-2217 | Unauthorized access to config.json file in chuanhuchatgpt | High | 7.5 | Yes | Upgrade to version 20240310 | ||||||
| CVE-2024-1892 | Denial of Service when parsing downloaded XML content in XMLFeedSpider in scrapy | High | 7.5 | Yes | Upgrade to version 2.11 | ||||||
| CVE-2024-1739 | creating account with same email in lunary | High | 7.5 | Yes | Upgrade to version 1.0.2 | ||||||
| CVE-2024-1601 | SQL injection in delete_discussion()in lollms-webui | High | 7.5 | Yes | Upgrade to version 9.2 | ||||||
| CVE-2024-1561 | Local file read by calling arbitrary methods of Components class in gradio | High | 7.5 | Yes | Upgrade to version 4.13.0 | ||||||
| N/A per maintainer request | Bypass private/linklocal/loopback IP validation Method lead to SSRF in netaddr | High | 7.5 | Yes | Upgrade to version 0.10.0 | ||||||
| CVE-2024-3572 | Parsing XML content using insecure function in scrapy | High | 7.5 | Yes | Upgrade to version 2.11.1 | ||||||
| CVE-2024-3574 | Authorization header leaked to third party site and it allow to hijack victim account in scrapy | High | 7.5 | Yes | Upgrade to version 2.11.1 | ||||||
| CVE-2024-2206 | Insufficient SSRF protection allow gradio app to proxy arbitrary URLs in gradio | High | 7.3 | Yes | Upgrade to version 4.18 | ||||||
| CVE-2024-3283 | Mass assignment that leads to privilege escalation attack in anything-llm | High | 7.2 | Yes | Upgrade to version 1.0.0 | ||||||
| CVE-2024-3028 | User can read and delete arbitrary files in anything-llm | High | 7.2 | Yes | Upgrade to version 1.0.0 | ||||||
| CVE-2024-3101 | Users can escalate privileges by deactivating ‘Multi-User Mode’. in anything-llm | Medium | 6.7 | Yes | Upgrade to version 1.0.0 | ||||||
| CVE-2023-6568 | Reflected POST XSS in mlflow | Medium | 6.5 | Yes | Upgrade to version 2.9.0 | ||||||
| CVE-2024-3571 | Local File Inclusion (LFI) to Remote Code Execution in langchain | Medium | 6.5 | Yes | Upgrade to version 0.0.353 | ||||||
| CVE-2024-1183 | ssrf bug to scan internet network in gradio | Medium | 6.5 | Yes | Upgrade to version 4.11 | ||||||
| CVE-2024-1455 | Billion laughs vulnerability that leads to DOS in langchain | Medium | 5.9 | Yes | Upgrade to version 0.1.35 | ||||||
| CVE-2024-1729 | timing attack to guess the password in gradio | Medium | 5.9 | Yes | Upgrade to version 4.19.2 | ||||||
| CVE-2024-1599 | bypass payment and create more project than limit without paying extra money in lunary | Medium | 5.3 | Yes | Upgrade to version 1.0.0 | ||||||
| CVE-2024-1569 | Denial of Service in lollms-webui | Medium | 5.3 | Yes | Upgrade to version 9.2 | ||||||
| CVE-2024-1727 | CSRF allows attacker to upload many large files to victim in gradio | Medium | 4.3 | Yes | Upgrade to version 4.19.2 | ||||||
| CVE-2024-2260 | Session fixation lead to bypass authentication in zenml | Medium | 4.2 | Yes | Upgrade to version 0.56.2 | ||||||
| CVE-2024-3568 | Transformers has a Deserialization of Untrusted Data vulnerability in transformers | Low | 3.4 | Yes | Upgrade to version 4.38 | ||||||
Hence, this pro-active method of detecting and resolving security issues in AI systems gives everyone significant information about vulnerabilities and facilitates their prompt fix to these vulnerabilities.
