aisecwatch.com
DashboardVulnerabilitiesNewsResearchArchiveStatsDatasetFor devs
Subscribe
aisecwatch.com

Real-time AI security monitoring. Tracking AI-related vulnerabilities, safety and security incidents, privacy risks, research developments, and policy changes.

Navigation

VulnerabilitiesNewsResearchDigest ArchiveNewsletter ArchiveSubscribeData SourcesStatisticsDatasetAPIIntegrationsWidgetRSS Feed

Maintained by

Truong (Jack) Luu

Information Systems Researcher

Browse All

All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.

to
Export CSV
6543 items

CVE-2024-24426: Reachable assertions in the NGAP_FIND_PROTOCOLIE_BY_ID function of OpenAirInterface Magma v1.8.0 and OAI EPC Federation

highvulnerability
security
Nov 15, 2024
CVE-2024-24426

CVE-2024-24426 is a vulnerability in OpenAirInterface Magma v1.8.0 and OAI EPC Federation v1.2.0 where attackers can trigger reachable assertions (checks that crash the program if they fail) in the NGAP_FIND_PROTOCOLIE_BY_ID function by sending a specially crafted NGAP packet (a message used in cellular networks), causing a Denial of Service attack (making the service unavailable to legitimate users). The vulnerability has not yet received an official CVSS severity rating from NIST.

NVD/CVE Database

CVE-2024-24450: Stack-based memcpy buffer overflow in the ngap_handle_pdu_session_resource_setup_response routine in OpenAirInterface CN

mediumvulnerability
security
Nov 15, 2024
CVE-2024-24450

OpenAirInterface CN (a 5G network software) versions 2.0.0 and earlier contain a stack-based buffer overflow (a memory safety bug where data overflows allocated memory space) in a function that handles network messages, allowing remote attackers to crash the system or potentially run unauthorized code by sending specially crafted network packets. The vulnerability affects the N2 interface (the connection between radio access networks and the core network).

CVE-2024-24449: An uninitialized pointer dereference in the NasPdu::NasPdu component of OpenAirInterface CN5G AMF up to v2.0.0 allows at

mediumvulnerability
security
Nov 15, 2024
CVE-2024-24449

CVE-2024-24449 is a vulnerability in OpenAirInterface CN5G AMF (a 5G network component) up to version 2.0.0 where an uninitialized pointer dereference (using a pointer variable that hasn't been set to a valid memory address) in the NasPdu::NasPdu component can be exploited. An attacker can send a specially crafted InitialUEMessage to cause a Denial of Service (DoS, making the service unavailable to legitimate users).

CVE-2024-52384: Unrestricted Upload of File with Dangerous Type vulnerability in Sage AI Sage AI: Chatbots, OpenAI GPT-4 Bulk Articles,

criticalvulnerability
security
Nov 14, 2024
CVE-2024-52384

A WordPress plugin called Sage AI (which provides chatbots, GPT-4 article generation, and image creation features) has a vulnerability (CVE-2024-52384) that allows unrestricted uploading of dangerous file types, enabling attackers to upload web shells (malicious scripts that give attackers control of a web server). This vulnerability affects all versions up to and including version 2.4.9.

CVE-2024-52383: Missing Authorization vulnerability in KCT Ai Auto Tool Content Writing Assistant (Gemini Writer, ChatGPT ) All in One a

highvulnerability
security
Nov 14, 2024
CVE-2024-52383

CVE-2024-52383 is a missing authorization vulnerability (a flaw where the software fails to check if a user has permission to perform an action) in the KCT Ai Auto Tool Content Writing Assistant plugin for WordPress, affecting versions up to 2.1.2. This vulnerability allows attackers to exploit incorrectly configured access control (permission settings) to gain unauthorized access.

CVE-2024-21799: Path traversal for some Intel(R) Extension for Transformers software before version 1.5 may allow an authenticated user

highvulnerability
security
Nov 13, 2024
CVE-2024-21799

CVE-2024-21799 is a path traversal vulnerability (a bug where an attacker can access files outside intended directories) in Intel Extension for Transformers software versions before 1.5 that allows authenticated users (those with login access) to escalate their privileges through local access. The vulnerability has a CVSS score (severity rating) of 6.9, rated as medium severity.

CVE-2024-51749: Element is a Matrix web client built using the Matrix React SDK. Versions of Element Web and Desktop earlier than 1.11.8

lowvulnerability
security
Nov 12, 2024
CVE-2024-51749

Element is a messaging app web client that had a bug in versions before 1.11.85 where it didn't properly validate thumbnails (small preview images) for attachments, stickers, and images. This allowed attackers to add fake thumbnails that would trigger unwanted file downloads when users clicked on them.

OWASP Top 10 for Large Language Model Applications - 2023 - v1.1

inforegulatory
securitypolicy

OWASP Top 10 for Large Language Model Applications - 2023 - v1

inforegulatory
securitypolicy

Overview of all AI Act National Implementation Plans

inforegulatory
policy
Nov 8, 2024

This document provides an overview of how different European Union countries are implementing the EU AI Act, which is legislation regulating artificial intelligence systems. Most countries show unclear or partial progress in establishing the required authorities (government bodies responsible for oversight and enforcement), with some nations like Denmark and Finland having made more concrete arrangements for coordinating market surveillance (monitoring that AI systems follow the rules) and serving as single points of contact.

CVE-2024-50182: In the Linux kernel, the following vulnerability has been resolved: secretmem: disable memfd_secret() if arch cannot se

mediumvulnerability
security
Nov 8, 2024
CVE-2024-50182

A Linux kernel vulnerability (CVE-2024-50182) affected memfd_secret(), a system call that creates secret memory regions hidden from the kernel's direct map (a lookup table for physical memory). On some ARM64 systems, the function appeared to work but silently failed to actually hide the memory, defeating its security purpose. The fix makes memfd_secret() return an error code (-ENOSYS) on systems that cannot properly remove memory from the direct map, rather than silently failing.

CVE-2024-51751: Gradio is an open-source Python package designed to enable quick builds of a demo or web application. If File or UploadB

mediumvulnerability
security
Nov 6, 2024
CVE-2024-51751

Gradio is an open-source Python package for building web applications, but versions before 5.5.0 have a vulnerability in the File and UploadButton components that allows attackers to read any files from the application server by exploiting path traversal (a technique where attackers use file paths like '../../../' to access files outside their intended directory). This happens when these components are used to preview file content.

CVE-2024-48061: langflow <=1.0.18 is vulnerable to Remote Code Execution (RCE) as any component provided the code functionality and the

criticalvulnerability
security
Nov 4, 2024
CVE-2024-48061EPSS: 10.2%

Langflow version 1.0.18 and earlier has a remote code execution vulnerability (RCE, where an attacker can run commands on a system they don't own) because components with code functionality execute on the local machine instead of in a sandbox (an isolated environment that limits what code can access). This allows any component to potentially execute arbitrary code.

CVE-2024-48052: In gradio <=4.42.0, the gr.DownloadButton function has a hidden server-side request forgery (SSRF) vulnerability. The re

mediumvulnerability
security
Nov 4, 2024
CVE-2024-48052

Gradio version 4.42.0 and earlier contain a server-side request forgery vulnerability (SSRF, a flaw where a server can be tricked into making requests to unintended targets) in the gr.DownloadButton function. The issue exists because the save_url_to_cache function doesn't validate URLs properly, allowing attackers to download local files and access sensitive information from the server.

CVE-2024-39722: An issue was discovered in Ollama before 0.1.46. It exposes which files exist on the server on which it is deployed via

highvulnerability
security
Oct 31, 2024
CVE-2024-39722EPSS: 54.4%

CVE-2024-39721: An issue was discovered in Ollama before 0.1.34. The CreateModelHandler function uses os.Open to read a file until compl

highvulnerability
security
Oct 31, 2024
CVE-2024-39721

Ollama before version 0.1.34 has a vulnerability where the CreateModelHandler function improperly reads user-controlled file paths without limits, allowing an attacker to specify a blocking file like /dev/random, which causes a goroutine (a lightweight process in Go) to run infinitely and consume resources even after the user cancels their request. This is a resource exhaustion (CWE-404: Improper Resource Shutdown or Release) issue that can disrupt service availability.

CVE-2024-39720: An issue was discovered in Ollama before 0.1.46. An attacker can use two HTTP requests to upload a malformed GGUF file c

highvulnerability
security
Oct 31, 2024
CVE-2024-39720

A vulnerability in Ollama before version 0.1.46 allows an attacker to crash the application by uploading a malformed GGUF file (a model format file) using two HTTP requests and then referencing it in a custom Modelfile. This causes a segmentation fault (a type of crash where the program tries to access memory it shouldn't), making the application unavailable.

CVE-2024-39719: An issue was discovered in Ollama through 0.3.14. File existence disclosure can occur via api/create. When calling the C

highvulnerability
security
Oct 31, 2024
CVE-2024-39719

Ollama versions through 0.3.14 have a vulnerability where the api/create endpoint leaks information about which files exist on the server. When someone calls the CreateModel route with a path that doesn't exist, the server returns an error message saying 'File does not exist', which allows attackers to probe the server's file system.

CVE-2024-42835: langflow v1.0.12 was discovered to contain a remote code execution (RCE) vulnerability via the PythonCodeTool component.

criticalvulnerability
security
Oct 31, 2024
CVE-2024-42835EPSS: 12.6%

CVE-2024-48063: In PyTorch <=2.4.1, the RemoteModule has Deserialization RCE. NOTE: this is disputed by multiple parties because this is

criticalvulnerability
security
Oct 29, 2024
CVE-2024-48063EPSS: 18.5%
Previous270 / 328Next
NVD/CVE Database
NVD/CVE Database
NVD/CVE Database
NVD/CVE Database

Fix: Update Intel Extension for Transformers to version 1.5 or later.

NVD/CVE Database

Fix: Update Element Web and Desktop to version 1.11.85 or later. The fix is confirmed in element-web 1.11.85.

NVD/CVE Database
Nov 11, 2024

N/A -- The provided content is a GitHub navigation menu and marketing material, not a substantive article about the OWASP Top 10 for LLM Applications. No technical information, vulnerabilities, or security issues are described in the source text.

OWASP LLM Top 10
Nov 11, 2024

N/A -- The provided content is a navigation menu and header from a GitHub webpage about enterprise features and developer tools. It does not contain substantive information about the OWASP Top 10 for Large Language Model Applications or any AI/LLM security issues.

OWASP LLM Top 10
EU AI Act Updates

Fix: Return -ENOSYS from memfd_secret() syscall if !can_set_direct_map(). The patch disables the syscall on ARM64 systems with certain configuration options disabled (CONFIG_RODATA_FULL_DEFAULT_ENABLED=n, CONFIG_DEBUG_PAGEALLOC=n, and CONFIG_KFENCE=n) where the operation cannot work correctly.

NVD/CVE Database

Fix: Upgrade to Gradio release version 5.5.0 or later. The source explicitly states: 'This issue has been addressed in release version 5.5.0 and all users are advised to upgrade.'

NVD/CVE Database
NVD/CVE Database
NVD/CVE Database

Ollama before version 0.1.46 has a security flaw where attackers can use path traversal (a technique that manipulates file paths to access files outside their intended directory) in the api/push route to discover which files exist on the server. This allows an attacker to learn information about the server's file system that should be private.

Fix: Update Ollama to version 0.1.46 or later.

NVD/CVE Database

Fix: Update Ollama to version 0.1.34 or later.

NVD/CVE Database

Fix: Update Ollama to version 0.1.46 or later.

NVD/CVE Database
NVD/CVE Database

Langflow v1.0.12 contains a remote code execution vulnerability (RCE, where an attacker can run commands on a system they don't own) in its PythonCodeTool component. This flaw allows attackers to execute arbitrary code through the tool. The vulnerability was publicly disclosed in October 2024.

NVD/CVE Database

PyTorch versions 2.4.1 and earlier contain a vulnerability in RemoteModule that allows RCE (remote code execution, where an attacker can run commands on a system they don't own) through deserialization of untrusted data. However, multiple parties dispute whether this is actually a security flaw, arguing it is intended behavior in PyTorch's distributed computing features (tools for running AI computations across multiple machines).

NVD/CVE Database