All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
The Vanna library (a tool for generating data visualizations) has a vulnerability where attackers can use prompt injection (tricking an AI by hiding instructions in its input) to alter how the library processes user requests and run arbitrary Python code instead of creating the intended visualization. This happens when external input is sent to the library's 'ask' method with visualization enabled, which is the default setting, leading to remote code execution (attackers being able to run commands on a system they don't own).
A code injection vulnerability (injecting malicious code into a system) exists in the huggingface/text-generation-inference repository's workflow file, where user input from GitHub branch names is unsafely used to build commands. An attacker can exploit this by creating a malicious branch name and submitting a pull request, potentially executing arbitrary code on the GitHub Actions runner (the automated system that runs tests and builds for the project).
Qdrant version 1.9.0-dev has a path traversal vulnerability (a security flaw where an attacker manipulates file paths to access unintended locations) in its snapshot upload endpoint that allows attackers to write files anywhere on the server by encoding special characters in the request. This could lead to complete system compromise through arbitrary file upload and overwriting.
EmbedAI has a security flaw that allows data poisoning attacks (injecting false or harmful information into an AI system) through a CSRF vulnerability (cross-site request forgery, where an attacker tricks a user into performing unwanted actions on a website they're logged into). An attacker can direct users to a malicious webpage that exploits weak session management and CORS policies (which control what external websites can access the application), tricking them into uploading bad data that corrupts the application's language model.
CVE-2024-5397 is a critical vulnerability in itsourcecode Online Student Enrollment System 1.0 that allows SQL injection (an attack where malicious code is inserted into database queries through user input). The flaw exists in the instructorSubjects.php file where the instructorId parameter is not properly protected, and an attacker can exploit it remotely with valid user credentials.
The Testimonial Carousel For Elementor WordPress plugin (versions up to 10.2.0) has a missing authorization check in the 'save_testimonials_option_callback' function, allowing unauthenticated attackers to modify data like OpenAI API keys without permission. This vulnerability is classified as CWE-862 (missing authorization, where a system doesn't verify that a user has permission to perform an action).
This overview discusses the European AI Act and the governance framework needed to implement it, focusing on the European Commission's responsibilities and the AI Office. Key tasks include establishing guidelines for classifying high-risk AI systems, defining what counts as significant modifications (changes that alter a system's risk level), and setting standards for transparency and enforcement across EU member states.
The AI ChatBot plugin for WordPress (up to version 5.3.4) has a security flaw where a function called openai_file_delete_callback lacks a capability check (verification that a user has permission to perform an action). This allows any authenticated user with subscriber-level access or higher to delete files from a connected OpenAI account without proper authorization.
The AI ChatBot plugin for WordPress (up to version 5.3.4) has a missing capability check (a missing authorization check that verifies user permissions) in its file upload function, allowing authenticated users with basic subscriber access to upload files to a connected OpenAI account without proper permission verification. This vulnerability affects all versions through 5.3.4 and could let low-privilege attackers modify data on the linked OpenAI account.
The AI ChatBot plugin for WordPress has a security flaw in versions up to 5.3.4 where a function lacks a capability check (a security control that verifies a user has permission to perform an action). This allows authenticated users with subscriber-level access or higher to view files stored in a connected OpenAI account without authorization.
A vulnerability in the Linux kernel's BPF (Berkeley Packet Filter, a technology for running safe programs in the kernel) subsystem occurs when a BPF program ends with a call to bpf_throw (a function that terminates execution), causing the instruction pointer to point just past the program's boundary. This breaks stack unwinding (the process of tracking where an error originated across function calls), potentially causing a panic (system crash). The fix makes the kernel treat instruction pointers at the program boundary (IP == ksym.end) as part of the program, allowing reliable stack unwinding in these cases.
A memory leak was found in the Linux kernel's SocketCAN driver for Microchip CAN BUS Analyzer Tool, where 20 USB coherent buffers (memory blocks allocated for direct USB communication) were allocated in the mcba_usb_start() function but never freed, causing memory to be wasted when the device disconnected. The issue occurred because the disconnect function simply stopped the USB requests without properly deallocating the coherent buffers.
A use-after-free vulnerability (UAF, a bug where code tries to access memory that has already been freed) was found in the Linux kernel's KVM (virtual machine software) SVM (a CPU virtualization technology) module in the svm_register_enc_region() function. The vulnerability occurred because a cache flush operation was happening after releasing a lock, allowing another part of the program to delete the region data before the flush completed.
MLflow (a tool for managing machine learning experiments) versions before 2.10.1 have a broken access control vulnerability where users with only EDIT permissions can delete artifacts (saved files or data from experiments) they shouldn't be able to delete. The bug happens because the system doesn't properly check permissions when users request to delete artifacts, even though the documentation says EDIT users should only be able to read and update, not delete.
The Tutor LMS plugin for WordPress (versions up to 2.7.0) has a time-based SQL injection vulnerability (a technique where attackers sneak malicious database commands into user input to extract data) in the 'question_id' parameter because the plugin doesn't properly clean user input or prepare its database queries. Attackers with Instructor-level permissions or higher can exploit this to extract sensitive information from the database.
Ollama versions before 0.1.34 have a security flaw where they don't properly check the format of digests (sha256 hashes that should be exactly 64 hexadecimal digits) when looking up model file paths. This allows attackers to bypass security checks by using invalid digest formats, such as ones with too few digits, too many digits, or paths starting with '../' (a path traversal technique that accesses files outside the intended directory).
Fix: Update Ollama to version 0.1.34 or later. The fix is available in the release notes at https://github.com/ollama/ollama/compare/v0.1.33...v0.1.34 and was implemented in pull request #4175.
NVD/CVE DatabaseFix: This issue was fixed in version 2.0.0. Users should update to version 2.0.0 or later.
NVD/CVE DatabaseFix: The issue is fixed in version 1.9.0. Users should upgrade to this version or later.
NVD/CVE DatabaseChatGPT's browsing tool can be tricked into automatically invoking other tools (like image creation or memory management) when users visit websites containing hidden instructions, a vulnerability known as prompt injection (tricking an AI by hiding instructions in its input). While OpenAI added some protections, minor prompting tricks can bypass them, and this issue affects other AI applications as well.
Fix: For custom GPTs with AI Actions, creators can use the x-openai-isConsequential flag as a mitigation to put users in control, though the source notes this approach 'still lacks a great user experience, like better visualization to understand what the action is about to do.'
Embrace The RedFix: The source suggests that the Commission should adopt 'predetermined change management plans akin to those in medicine' to assess modifications to AI systems. These plans would be documents outlining anticipated changes (such as performance adjustments or shifts in intended use) and the methods for evaluating whether those changes substantially alter the system's risk level. The source also recommends that standard fine-tuning of foundation models (training adjustments to pre-existing AI models) should not be considered a significant modification unless safety layers are removed or other actions clearly increase risk.
EU AI Act UpdatesChatGPT's new memory feature, which lets the AI remember information across different chat sessions for a more personalized experience, can be exploited through indirect prompt injection (tricking an AI by hiding malicious instructions in its input). Attackers could manipulate ChatGPT into storing false information, biases, or unwanted instructions by injecting commands through connected apps like Google Drive, uploaded documents, or web browsing features.
Fix: A patch is available at https://plugins.trac.wordpress.org/changeset/3089461/chatbot/trunk/includes/openai/qcld-bot-openai.php. Users should update their AI ChatBot plugin to a version after 5.3.4.
NVD/CVE DatabaseFix: Make bpf_prog_ksym_find treat IP == ksym.end as part of the BPF program, so that is_bpf_text_address returns true when such a case occurs, allowing reliable unwinding when the final instruction ends up being a call instruction.
NVD/CVE DatabaseFix: All allocated buffers should be freed with usb_free_coherent() explicitly. The source notes that the same correct pattern for allocating and freeing coherent buffers is used in drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c.
NVD/CVE DatabaseThis post examines how attackers can insert hidden malicious code into machine learning models (a technique called backdooring) through supply chain attacks, specifically targeting Keras models (a popular framework for building AI systems). The authors demonstrate this attack and then explore tools that can detect when a model has been compromised in this way.
Fix: Do the cache flush of converted pages in svm_register_enc_region() before dropping kvm->lock (release the lock only after the flush is complete, not before). This ensures the region and its page array cannot be freed by another task while the flush is still in progress.
NVD/CVE DatabaseFix: Update mlflow to version 2.10.1 or later.
NVD/CVE DatabaseMLflow version 2.11.0 has a path traversal vulnerability (a security flaw where an attacker can access files outside intended directories) that bypasses a previous fix. An attacker can use a '#' character in artifact URLs to skip validation and read sensitive files like SSH keys and cloud credentials from the server's filesystem. The vulnerability exists because the application doesn't properly validate the fragment portion (the part after '#') of URLs before converting them to filesystem paths.