Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
A command injection vulnerability (a type of attack where specially crafted input tricks a system into running unintended commands) exists in the Gradio project's automated workflow file, where unsanitized (unfiltered) repository and branch names could be exploited to steal sensitive credentials like authentication tokens. The vulnerability affects Gradio versions up to @gradio/video@0.6.12.
Qdrant version 1.9.0-dev has a vulnerability in its snapshot recovery process (a feature that restores a database from a backup) that allows attackers to read and write arbitrary files on the server by inserting symlinks (shortcuts to other files) into snapshot files. This could potentially give attackers complete control over the system.
The Vanna library (a tool for generating data visualizations) has a vulnerability where attackers can use prompt injection (tricking an AI by hiding instructions in its input) to alter how the library processes user requests and run arbitrary Python code instead of creating the intended visualization. This happens when external input is sent to the library's 'ask' method with visualization enabled, which is the default setting, leading to remote code execution (attackers being able to run commands on a system they don't own).
A code injection vulnerability (injecting malicious code into a system) exists in the huggingface/text-generation-inference repository's workflow file, where user input from GitHub branch names is unsafely used to build commands. An attacker can exploit this by creating a malicious branch name and submitting a pull request, potentially executing arbitrary code on the GitHub Actions runner (the automated system that runs tests and builds for the project).
Qdrant version 1.9.0-dev has a path traversal vulnerability (a security flaw where an attacker manipulates file paths to access unintended locations) in its snapshot upload endpoint that allows attackers to write files anywhere on the server by encoding special characters in the request. This could lead to complete system compromise through arbitrary file upload and overwriting.
EmbedAI has a security flaw that allows data poisoning attacks (injecting false or harmful information into an AI system) through a CSRF vulnerability (cross-site request forgery, where an attacker tricks a user into performing unwanted actions on a website they're logged into). An attacker can direct users to a malicious webpage that exploits weak session management and CORS policies (which control what external websites can access the application), tricking them into uploading bad data that corrupts the application's language model.
The Testimonial Carousel For Elementor WordPress plugin (versions up to 10.2.0) has a missing authorization check in the 'save_testimonials_option_callback' function, allowing unauthenticated attackers to modify data like OpenAI API keys without permission. This vulnerability is classified as CWE-862 (missing authorization, where a system doesn't verify that a user has permission to perform an action).
The AI ChatBot plugin for WordPress (up to version 5.3.4) has a security flaw where a function called openai_file_delete_callback lacks a capability check (verification that a user has permission to perform an action). This allows any authenticated user with subscriber-level access or higher to delete files from a connected OpenAI account without proper authorization.
The AI ChatBot plugin for WordPress (up to version 5.3.4) has a missing capability check (a missing authorization check that verifies user permissions) in its file upload function, allowing authenticated users with basic subscriber access to upload files to a connected OpenAI account without proper permission verification. This vulnerability affects all versions through 5.3.4 and could let low-privilege attackers modify data on the linked OpenAI account.
The AI ChatBot plugin for WordPress has a security flaw in versions up to 5.3.4 where a function lacks a capability check (a security control that verifies a user has permission to perform an action). This allows authenticated users with subscriber-level access or higher to view files stored in a connected OpenAI account without authorization.
MLflow (a tool for managing machine learning experiments) versions before 2.10.1 have a broken access control vulnerability where users with only EDIT permissions can delete artifacts (saved files or data from experiments) they shouldn't be able to delete. The bug happens because the system doesn't properly check permissions when users request to delete artifacts, even though the documentation says EDIT users should only be able to read and update, not delete.
A command injection vulnerability (a flaw that lets attackers run unauthorized commands) exists in the RunGptLLM class of the llama_index library version 0.9.47, which connects applications to language models. The vulnerability uses the eval function (a tool that executes text as code) unsafely, potentially allowing a malicious LLM provider to run arbitrary commands and take control of a user's machine.
CVE-2024-34440 is an unrestricted file upload vulnerability (a security flaw that lets users upload files without proper checks on file type) in the Jordy Meow AI Engine: ChatGPT Chatbot plugin affecting versions through 2.2.63. This vulnerability could potentially allow attackers to upload dangerous files to a system, but no severity score has been assigned yet.
CVE-2024-0100 is a vulnerability in NVIDIA Triton Inference Server for Linux that allows a user to corrupt system files through the tracing API (a feature that tracks how the server runs). Successfully exploiting this vulnerability could cause denial of service (making the system unavailable) and data tampering (unauthorized changes to data).
CVE-2024-0088 is a vulnerability in NVIDIA Triton Inference Server for Linux where a network user can trigger improper memory access through shared memory APIs, potentially causing denial of service (making a service unavailable) or data tampering. The vulnerability stems from out-of-bounds write errors, meaning the software tries to write data to memory locations it shouldn't access.
CVE-2024-0087 is a vulnerability in NVIDIA Triton Inference Server for Linux that allows a user to set the logging location to any file they choose, and if that file already exists, logs get added to it. This could allow an attacker to execute code, crash the system, gain elevated permissions, steal information, or modify data.
llama-cpp-python (Python bindings for llama.cpp, a tool for running AI models locally) has a vulnerability where it loads chat templates from model files without proper security checks. When these templates are processed using Jinja2 (a templating engine), an attacker can inject malicious code through a specially crafted model file, leading to remote code execution (the ability to run arbitrary commands on the victim's computer).
SolidUI version 0.4.0 contains a bug where the file spaces_plugin/app.py has an unnecessary print statement that outputs an OpenAI key (a secret credential used to authenticate with OpenAI's services). This printed key could be captured in log files (records of system activity), potentially exposing the credential to unauthorized users.
Fix: Update to version v1.9.0, where the issue is fixed.
NVD/CVE DatabaseOllama versions before 0.1.34 have a security flaw where they don't properly check the format of digests (sha256 hashes that should be exactly 64 hexadecimal digits) when looking up model file paths. This allows attackers to bypass security checks by using invalid digest formats, such as ones with too few digits, too many digits, or paths starting with '../' (a path traversal technique that accesses files outside the intended directory).
Fix: Update Ollama to version 0.1.34 or later. The fix is available in the release notes at https://github.com/ollama/ollama/compare/v0.1.33...v0.1.34 and was implemented in pull request #4175.
NVD/CVE DatabaseFix: This issue was fixed in version 2.0.0. Users should update to version 2.0.0 or later.
NVD/CVE DatabaseFix: The issue is fixed in version 1.9.0. Users should upgrade to this version or later.
NVD/CVE DatabaseFix: A patch is available at https://plugins.trac.wordpress.org/changeset/3089461/chatbot/trunk/includes/openai/qcld-bot-openai.php. Users should update their AI ChatBot plugin to a version after 5.3.4.
NVD/CVE DatabaseFix: Update mlflow to version 2.10.1 or later.
NVD/CVE DatabaseMLflow version 2.11.0 has a path traversal vulnerability (a security flaw where an attacker can access files outside intended directories) that bypasses a previous fix. An attacker can use a '#' character in artifact URLs to skip validation and read sensitive files like SSH keys and cloud credentials from the server's filesystem. The vulnerability exists because the application doesn't properly validate the fragment portion (the part after '#') of URLs before converting them to filesystem paths.
Fix: This issue was fixed in version 0.10.13 of the llama_index library. Users should upgrade to version 0.10.13 or later.
NVD/CVE Database