Protect AI Releases June 'Bug' Report Including Nvidia And Intel Vulnerabilities

The report lists 31 vulnerabilities.

Protect AI Releases June 'Bug' Report Including Nvidia And Intel Vulnerabilities

Protect.ai, which provides artificial intelligence application security, just released its June vulnerability report.

The report was created with Protect AI's AI/ML "bug bounty" program, huntr. According to the company, the program is made up of over 15,000 members who hunt for vulnerabilities across the "entire OSS AI/ML supply chain."

Among June's found vulnerabilities was one with Nvidia's Triton Inference Server, a "part of the Nvidia AI platform and available with Nvidia AI Enterprise," according to Nvidia. It is "open-source software that standardizes AI model deployment and execution," the company said.

The Triton Inference Server vulnerability allows hackers to perform log injections. Server versions 24.01 to 24.04 are affected.

A second vulnerability is with Intel's Neural Compressor, software that helps optimize and accelerate deep machine learning.

"A vulnerability in the Intel Neural Compressor's configuration handling could lead to sensitive information disclosure due to a TOCTOU [Time-of-Check Time-of-Use] race condition," huntr said.

Here is a list of all vulnerabilities huntr has discovered this month:

CVE
Title
Severity
CVSS
Fixed
Recommendations
CVE-2024-22476
SQL Injection and RCE in neural-compressor
Critical
10
Yes
Upgrade to latest release
CVE-2024-3234
LFI due to the use of outdated components in chuanhuchatgpt34
Critical
9.8
Yes
Upgrade to version 20240305
CVE-2024-3429
Arbitrary file reading via path traversal in lollms
Critical
9.8
Yes
Upgrade to version 9.6
CVE-2024-3584
Path traversal in collection name leads to arbitrary file overwrite in qdrant
Critical
9.8
Yes
Upgrade to version v1.9.0
CVE-2024-3829
Arbitrary file read and write during snapshot recovery in qdrant
Critical
9.8
Yes
Upgrade to version v1.9.0
CVE-2024-4146
User can access unauthorized projects from org in lunary
Critical
9.8
Yes
Upgrade to version 1.2.26
CVE-2024-3149
SSRF in the upload link feature leads to accessing internal Collector API and escalating attack to arbitrary file deletion and Limited LFI in anything-llm
Critical
9.6
Yes
Upgrade to latest release
CVE-2024-5128
IDOR- allow view/update/delete any dataset_prompt/dataset_prompt_variation in any dataset/projects in lunary
Critical
9.4
Yes
Upgrade to version 1.2.25
CVE-2024-3761
Missing Authorization on Delete Datasets in lunary
Critical
9.1
Yes
Upgrade to version 1.2.8
CVE-2024-4315
lack of path sanitization for windows leads to LFI in lollms
Critical
9.1
Yes
Upgrade to version 9.8
CVE-2024-5211
Path traversal to Arbitrary file Read/Delete/Overwrite, DoS attack and admin account takeover in anything-llm
Critical
9.1
Yes
Upgrade to latest release
CVE-2024-0087
Arbitrary File Creation/Appending in Log File Configuration Interface Can Lead to Remote Code Execution in Nvidia Triton Inference server
Critical
9.0
Yes
Upgrade to version 24.04
CVE-2024-3322
Path traversal in native personality 'cyber_security/codeguard' causes Arbitrary File leak and overwrite of directories in lollms-webui
High
8.4
Yes
Upgrade to version 9.5
CVE-2024-5129
Privilege Escalation Vulnerability to delete any datasets in lunary
High
8.2
Yes
Upgrade to version 1.2.8
CVE-2024-3150
Default / manager user can escalate their privileges to Administrator in anything-llm
High
8.1
Yes
Upgrade to latest release
CVE-2024-4287
User with manager role is able to create new Administrator accounts in anything-llm
High
8.1
Yes
Upgrade to latest release
CVE-2024-3504
Improper access control-allow update org user to org owner in lunary
High
8.1
Yes
Upgrade to version 1.2.7
CVE-2024-2914
Tarslip that leads to arbitary file write in djl
High
7.8
Yes
Upgrade to version 0.27.0
CVE-2024-5126
Improper access control-allow update prompt that is deployed in lunary
High
7.6
Yes
Upgrade to version 1.2.25
CVE-2024-1968
Authorization header leakage on same-domain but cross-origin redirect in scrapy
High
7.5
Yes
Upgrade to version 2.11.2
CVE-2024-5130
Unauthenticated delete any dataset in lunary
High
7.5
Yes
Upgrade to version 1.2.8
CVE-2024-5131
IDOR- allow view any prompts in any projects in lunary
High
7.5
Yes
Upgrade to version 1.2.25
CVE-2024-4941
LFI in JSON component in gradio
High
7.5
Yes
Upgrade to version 4.31.4
CVE-2024-4881
Path traversal leads to read any file on the Windows platform system in lollms
High
7.5
Yes
Upgrade to version 5.9.0
CVE-2024-0088
System Shared Memory Operation Interface and Associated Logic Vulnerability - Out-of-Bounds Write in Nvidia Triton Inference Server
Medium
5.5
Yes
Upgrade to version 24.04
CVE-2024-5127
A user from free plan can invite other members assigning them any role and they are able to join the project in lunary
Medium
5.4
Yes
Upgrade to version 1.2.25
CVE-2024-5206
Unexpected Training Data Storage in sklearn.feature_extraction.text.TfidfVectorizer in scikit-learn
Medium
5.3
Yes
Upgrade to version 1.5.0
CVE-2024-4284
Denial of service by assigning specific user id in anything-llm
Medium
4.9
Yes
Upgrade to latest release
CVE-2024-4286
User modification allows for data modification in anything-llm
Medium
4.9
Yes
Upgrade to latest release
CVE-2024-21792
Insecure Temporary File Permissions in neural compressor
Medium
4.7
Yes
Upgrade to latest release
CVE-2024-0095
Log Injection in Nvidia Triton Inference Server
Medium
4.3
Yes
Upgrade to latest release

Dan McInerney & Marcello Salvati