AI Sec Watch

Gradio, a popular Python library for building AI interfaces, has a vulnerability in its `/component_server` endpoint that lets attackers call any method on a Component class with their own arguments. By exploiting a specific method called `move_resource_to_block_cache()`, attackers can copy files from the server's filesystem to a temporary folder and download them, potentially exposing sensitive data like API keys, especially when apps are shared online or hosted on platforms like Hugging Face.

A path traversal vulnerability (a security flaw where attackers use special characters like ../ to access files outside their intended directory) exists in MLflow's artifact deletion feature. Attackers can delete arbitrary files on a server by exploiting an extra decoding step that fails to properly validate user input, and this vulnerability affects versions up to 2.9.2.

CVE-2024-1558 is a path traversal vulnerability (a security flaw where an attacker uses special characters like "../" to access files outside their intended directory) in MLflow's model version creation function. An attacker can craft a malicious `source` parameter that bypasses the validation check, allowing them to read any file on the server when fetching model artifacts.

CVE-2024-1483 is a path traversal vulnerability (a weakness that lets attackers access files outside intended directories) in MLflow version 2.9.2 that allows attackers to read arbitrary files on a server. The vulnerability occurs because the server doesn't properly validate user input in the 'artifact_location' and 'source' parameters, and attackers can exploit this by sending specially crafted HTTP POST requests that use '#' instead of '?' in local URIs to navigate the server's directory structure.

CVE-2024-1183 is an SSRF vulnerability (a flaw where an attacker tricks a server into making requests to internal networks) in the Gradio application that lets attackers scan and identify open ports on internal networks by manipulating the 'file' parameter in requests and reading responses for specific headers or error messages.

Google's NotebookLM is a tool that lets users upload files for an AI to analyze, but it's vulnerable to prompt injection (tricking the AI by hiding instructions in uploaded files) that can manipulate the AI's responses and expose what users see. The tool also has a data exfiltration vulnerability (attackers stealing information) when processing untrusted files, and there is currently no known way to prevent these attacks, meaning users cannot fully trust the AI's responses when working with files from unknown sources.

Stable-diffusion-webui version 1.7.0 has a vulnerability where user input from the Backup/Restore tab is not properly validated before being used to create file paths, allowing attackers to write JSON files to arbitrary locations on Windows systems where the web server has access. This is a limited file write vulnerability (a security flaw that lets attackers create or modify files in unintended locations) that could let an attacker place malicious files on the server.

CVE-2023-51409 is a vulnerability in the Jordy Meow AI Engine: ChatGPT Chatbot plugin (versions up to 1.9.98) that allows unrestricted upload of dangerous file types, meaning attackers can upload files that shouldn't be allowed without proper validation. This vulnerability could potentially lead to remote code execution (running malicious commands on the affected system).

The huggingface/transformers library has a vulnerability where attackers can run arbitrary code on a victim's machine by tricking them into loading a malicious checkpoint file. The problem occurs in the `load_repo_checkpoint()` function, which uses `pickle.load()` (a Python function that reconstructs objects from serialized data) on data that might come from untrusted sources, allowing attackers to execute remote code execution (RCE, where an attacker runs commands on a system they don't own).