![Protect AI Releases June 'Bug' Report Including Nvidia And Intel Vulnerabilities](https://image.chitra.live/api/v1/wps/636a593/fb2ec6ec-d40c-435c-a114-a441879483c6/3/bug-679x419.jpeg)
Protect.ai, which provides artificial intelligence application security, just released its June vulnerability report.
The report was created with Protect AI's AI/ML "bug bounty" program, huntr. According to the company, the program is made up of over 15,000 members who hunt for vulnerabilities across the "entire OSS AI/ML supply chain."
Among June's found vulnerabilities was one with Nvidia's Triton Inference Server, a "part of the Nvidia AI platform and available with Nvidia AI Enterprise," according to Nvidia. It is "open-source software that standardizes AI model deployment and execution," the company said.
The Triton Inference Server vulnerability allows hackers to perform log injections. Server versions 24.01 to 24.04 are affected.
A second vulnerability is with Intel's Neural Compressor, software that helps optimize and accelerate deep machine learning.
"A vulnerability in the Intel Neural Compressor's configuration handling could lead to sensitive information disclosure due to a TOCTOU [Time-of-Check Time-of-Use] race condition," huntr said.
Here is a list of all vulnerabilities huntr has discovered this month:
CVE |
Title |
Severity |
CVSS |
Fixed |
Recommendations |
Critical |
10 |
Yes |
Upgrade to latest release |
||
CVE-2024-3234 |
LFI due to the use of outdated components in chuanhuchatgpt34 |
Critical |
9.8 |
Yes |
Upgrade to version 20240305 |
CVE-2024-3429 |
Critical |
9.8 |
Yes |
Upgrade to version 9.6 |
|
CVE-2024-3584 |
Path traversal in collection name leads to arbitrary file overwrite in qdrant |
Critical |
9.8 |
Yes |
Upgrade to version v1.9.0 |
Arbitrary file read and write during snapshot recovery in qdrant |
Critical |
9.8 |
Yes |
Upgrade to version v1.9.0 |
|
Critical |
9.8 |
Yes |
Upgrade to version 1.2.26 |
||
Critical |
9.6 |
Yes |
Upgrade to latest release |
||
Critical |
9.4 |
Yes |
Upgrade to version 1.2.25 |
||
Critical |
9.1 |
Yes |
Upgrade to version 1.2.8 |
||
lack of path sanitization for windows leads to LFI in lollms |
Critical |
9.1 |
Yes |
Upgrade to version 9.8 |
|
Critical |
9.1 |
Yes |
Upgrade to latest release |
||
Critical |
9.0 |
Yes |
Upgrade to version 24.04 |
||
High |
8.4 |
Yes |
Upgrade to version 9.5 |
||
Privilege Escalation Vulnerability to delete any datasets in lunary |
High |
8.2 |
Yes |
Upgrade to version 1.2.8 |
|
Default / manager user can escalate their privileges to Administrator in anything-llm |
High |
8.1 |
Yes |
Upgrade to latest release |
|
User with manager role is able to create new Administrator accounts in anything-llm |
High |
8.1 |
Yes |
Upgrade to latest release |
|
Improper access control-allow update org user to org owner in lunary |
High |
8.1 |
Yes |
Upgrade to version 1.2.7 |
|
High |
7.8 |
Yes |
Upgrade to version 0.27.0 |
||
Improper access control-allow update prompt that is deployed in lunary |
High |
7.6 |
Yes |
Upgrade to version 1.2.25 |
|
Authorization header leakage on same-domain but cross-origin redirect in scrapy |
High |
7.5 |
Yes |
Upgrade to version 2.11.2 |
|
High |
7.5 |
Yes |
Upgrade to version 1.2.8 |
||
High |
7.5 |
Yes |
Upgrade to version 1.2.25 |
||
High |
7.5 |
Yes |
Upgrade to version 4.31.4 |
||
Path traversal leads to read any file on the Windows platform system in lollms |
High |
7.5 |
Yes |
Upgrade to version 5.9.0 |
|
Medium |
5.5 |
Yes |
Upgrade to version 24.04 |
||
Medium |
5.4 |
Yes |
Upgrade to version 1.2.25 |
||
Unexpected Training Data Storage in sklearn.feature_extraction.text.TfidfVectorizer in scikit-learn |
Medium |
5.3 |
Yes |
Upgrade to version 1.5.0 |
|
Denial of service by assigning specific user id in anything-llm |
Medium |
4.9 |
Yes |
Upgrade to latest release |
|
User modification allows for data modification in anything-llm |
Medium |
4.9 |
Yes |
Upgrade to latest release |
|
Medium |
4.7 |
Yes |
Upgrade to latest release |
||
Medium |
4.3 |
Yes |
Upgrade to latest release |