Protect AI Releases 'Bug Bounty' Report On May Vulnerabilities
The vulnerabilities involve tools used to build AI apps
Protect AI, which offers artificial intelligence application security, just released its May vulnerability report.
The report was created with Protect AI's AI/ML "bug bounty" program, huntr. According to the company, the program is made up of over 15,000 members who hunt for vulnerabilities across the "entire OSS AI/ML supply chain."
The vulnerabilities involve tools used to build ML models that fuel AI applications. The huntr community, along with Protect AI researchers, found these tools to be vulnerable to "unique security threats."
Here is a list of the vulnerabilities huntr has discovered:
Remote Code Execution (RCE) in LoLLMs
"Impact: This vulnerability can lead to an attacker running arbitrary code on the server.
A vulnerability present in older versions of llama-cpp-python combined with the binding_zoo feature in the LoLLMs webserver can allow attackers to use a malicious 3rd party hosted model to execute code remotely."
Denial of Service (DOS) in mintplex-labs/anything-llm
"Impact: This vulnerability allows an attacker to shut down the server through the file upload endpoint.
The vulnerability is present in the file upload endpoint, where a specially crafted request can cause the server to shut down. This issue arises from the server's inability to properly handle certain types of upload requests, making it susceptible to a Denial of Service (DOS) attack."
Remote Code Execution (RCE) in mintplex-labs/anything-llm
"Impact: This vulnerability can allow attackers to remotely execute code on the server.
The vulnerability involves injecting malicious code into the LocalAiBasePath parameter which will write the code to a .env file. Through a string of other HTTP requests, this code can then be triggered leading to server takeover."
Protect AI also released recommendations to fix these vulnerabilities (and also offers Sightline, a security feed of all found issues):
Upgrade to version
0.10.13
Upgrade to version
200bd7f0615347ed2efc 07903d510e5a208b0af c
Upgrade to version
2.11.3
Upgrade to version
2.12.1
Upgrade to version
49f30e051c9f6e28977d
57d0e5f49c1294094e4
1
Upgrade to version b8d37d9f43af2facab4c 51146a46229a58cb53d
9
Upgrade to version
0.56.2
Upgrade to version
2.10.1
Upgrade to version
2374939ffb551ab2929d
7f9d5827fe6597fa8caa
Upgrade to version
0.56.3
Upgrade to version
0.1.12
Upgrade to version
0.55.5