Protect AI Releases June 'Bug' Report Including Nvidia And Intel Vulnerabilities

Protect.ai, which provides artificial intelligence application security, just released its June vulnerability report.

The report was created with Protect AI's AI/ML "bug bounty" program, huntr. According to the company, the program is made up of over 15,000 members who hunt for vulnerabilities across the "entire OSS AI/ML supply chain."

Among June's found vulnerabilities was one with Nvidia's Triton Inference Server, a "part of the Nvidia AI platform and available with Nvidia AI Enterprise," according to Nvidia. It is "open-source software that standardizes AI model deployment and execution," the company said.

The Triton Inference Server vulnerability allows hackers to perform log injections. Server versions 24.01 to 24.04 are affected.

A second vulnerability is with Intel's Neural Compressor, software that helps optimize and accelerate deep machine learning.

"A vulnerability in the Intel Neural Compressor's configuration handling could lead to sensitive information disclosure due to a TOCTOU [Time-of-Check Time-of-Use] race condition," huntr said.

Here is a list of all vulnerabilities huntr has discovered this month:

CVE	Title	Severity	CVSS	Fixed	Recommendations
CVE-2024-22476	SQL Injection and RCE in neural-compressor	Critical	10	Yes	Upgrade to latest release
CVE-2024-3234	LFI due to the use of outdated components in chuanhuchatgpt34	Critical	9.8	Yes	Upgrade to version 20240305
CVE-2024-3429	Arbitrary file reading via path traversal in lollms	Critical	9.8	Yes	Upgrade to version 9.6
CVE-2024-3584	Path traversal in collection name leads to arbitrary file overwrite in qdrant	Critical	9.8	Yes	Upgrade to version v1.9.0
CVE-2024-3829	Arbitrary file read and write during snapshot recovery in qdrant	Critical	9.8	Yes	Upgrade to version v1.9.0
CVE-2024-4146	User can access unauthorized projects from org in lunary	Critical	9.8	Yes	Upgrade to version 1.2.26
CVE-2024-3149	SSRF in the upload link feature leads to accessing internal Collector API and escalating attack to arbitrary file deletion and Limited LFI in anything-llm	Critical	9.6	Yes	Upgrade to latest release
CVE-2024-5128	IDOR- allow view/update/delete any dataset_prompt/dataset_prompt_variation in any dataset/projects in lunary	Critical	9.4	Yes	Upgrade to version 1.2.25
CVE-2024-3761	Missing Authorization on Delete Datasets in lunary	Critical	9.1	Yes	Upgrade to version 1.2.8
CVE-2024-4315	lack of path sanitization for windows leads to LFI in lollms	Critical	9.1	Yes	Upgrade to version 9.8
CVE-2024-5211	Path traversal to Arbitrary file Read/Delete/Overwrite, DoS attack and admin account takeover in anything-llm	Critical	9.1	Yes	Upgrade to latest release
CVE-2024-0087	Arbitrary File Creation/Appending in Log File Configuration Interface Can Lead to Remote Code Execution in Nvidia Triton Inference server	Critical	9.0	Yes	Upgrade to version 24.04
CVE-2024-3322	Path traversal in native personality 'cyber_security/codeguard' causes Arbitrary File leak and overwrite of directories in lollms-webui	High	8.4	Yes	Upgrade to version 9.5
CVE-2024-5129	Privilege Escalation Vulnerability to delete any datasets in lunary	High	8.2	Yes	Upgrade to version 1.2.8
CVE-2024-3150	Default / manager user can escalate their privileges to Administrator in anything-llm	High	8.1	Yes	Upgrade to latest release
CVE-2024-4287	User with manager role is able to create new Administrator accounts in anything-llm	High	8.1	Yes	Upgrade to latest release
CVE-2024-3504	Improper access control-allow update org user to org owner in lunary	High	8.1	Yes	Upgrade to version 1.2.7
CVE-2024-2914	Tarslip that leads to arbitary file write in djl	High	7.8	Yes	Upgrade to version 0.27.0
CVE-2024-5126	Improper access control-allow update prompt that is deployed in lunary	High	7.6	Yes	Upgrade to version 1.2.25
CVE-2024-1968	Authorization header leakage on same-domain but cross-origin redirect in scrapy	High	7.5	Yes	Upgrade to version 2.11.2
CVE-2024-5130	Unauthenticated delete any dataset in lunary	High	7.5	Yes	Upgrade to version 1.2.8
CVE-2024-5131	IDOR- allow view any prompts in any projects in lunary	High	7.5	Yes	Upgrade to version 1.2.25
CVE-2024-4941	LFI in JSON component in gradio	High	7.5	Yes	Upgrade to version 4.31.4
CVE-2024-4881	Path traversal leads to read any file on the Windows platform system in lollms	High	7.5	Yes	Upgrade to version 5.9.0
CVE-2024-0088	System Shared Memory Operation Interface and Associated Logic Vulnerability - Out-of-Bounds Write in Nvidia Triton Inference Server	Medium	5.5	Yes	Upgrade to version 24.04
CVE-2024-5127	A user from free plan can invite other members assigning them any role and they are able to join the project in lunary	Medium	5.4	Yes	Upgrade to version 1.2.25
CVE-2024-5206	Unexpected Training Data Storage in sklearn.feature_extraction.text.TfidfVectorizer in scikit-learn	Medium	5.3	Yes	Upgrade to version 1.5.0
CVE-2024-4284	Denial of service by assigning specific user id in anything-llm	Medium	4.9	Yes	Upgrade to latest release
CVE-2024-4286	User modification allows for data modification in anything-llm	Medium	4.9	Yes	Upgrade to latest release
CVE-2024-21792	Insecure Temporary File Permissions in neural compressor	Medium	4.7	Yes	Upgrade to latest release
CVE-2024-0095	Log Injection in Nvidia Triton Inference Server	Medium	4.3	Yes	Upgrade to latest release