Protect AI Releases June 'Bug' Report Including Nvidia And Intel Vulnerabilities

The report lists 31 vulnerabilities.

Samara Lynn
clock • 4 min read
Protect AI Releases June 'Bug' Report Including Nvidia And Intel Vulnerabilities

Protect.ai, which provides artificial intelligence application security, just released its June vulnerability report.

The report was created with Protect AI's AI/ML "bug bounty" program, huntr. According to the company, the program is made up of over 15,000 members who hunt for vulnerabilities across the "entire OSS AI/ML supply chain."   

Among June's found vulnerabilities was one with Nvidia's Triton Inference Server, a "part of the Nvidia AI platform and available with Nvidia AI Enterprise," according to Nvidia. It is "open-source software that standardizes AI model deployment and execution," the company said.

The Triton Inference Server vulnerability allows hackers to perform log injections. Server versions 24.01 to 24.04 are affected.  

A second vulnerability is with Intel's Neural Compressor, software that helps optimize and accelerate deep machine learning.  

"A vulnerability in the Intel Neural Compressor's configuration handling could lead to sensitive information disclosure due to a TOCTOU [Time-of-Check Time-of-Use] race condition," huntr said.  

Here is a list of all vulnerabilities huntr has discovered this month:   

CVE

Title

Severity

CVSS

Fixed

Recommendations

CVE-2024-22476

SQL Injection and RCE in neural-compressor

Critical

10

Yes

Upgrade to latest release

CVE-2024-3234

LFI due to the use of outdated components in chuanhuchatgpt34

Critical

9.8

Yes

Upgrade to version 20240305

CVE-2024-3429

Arbitrary file reading via path traversal in lollms

Critical

9.8

Yes

Upgrade to version 9.6

CVE-2024-3584

Path traversal in collection name leads to arbitrary file overwrite in qdrant

Critical

9.8

Yes

Upgrade to version v1.9.0

CVE-2024-3829

Arbitrary file read and write during snapshot recovery in qdrant

Critical

9.8

Yes

Upgrade to version v1.9.0

CVE-2024-4146

User can access unauthorized projects from org in lunary

Critical

9.8

Yes

Upgrade to version 1.2.26

CVE-2024-3149

SSRF in the upload link feature leads to accessing internal Collector API and escalating attack to arbitrary file deletion and Limited LFI in anything-llm

Critical

9.6

Yes

Upgrade to latest release

CVE-2024-5128

IDOR- allow view/update/delete any dataset_prompt/dataset_prompt_variation in any dataset/projects in lunary

Critical

9.4

Yes

Upgrade to version 1.2.25

CVE-2024-3761

Missing Authorization on Delete Datasets in lunary

Critical

9.1

Yes

Upgrade to version 1.2.8

CVE-2024-4315

lack of path sanitization for windows leads to LFI in lollms

Critical

9.1

Yes

Upgrade to version 9.8

CVE-2024-5211

Path traversal to Arbitrary file Read/Delete/Overwrite, DoS attack and admin account takeover in anything-llm

Critical

9.1

Yes

Upgrade to latest release

CVE-2024-0087

Arbitrary File Creation/Appending in Log File Configuration Interface Can Lead to Remote Code Execution in Nvidia Triton Inference server

Critical

9.0

Yes

Upgrade to version 24.04

CVE-2024-3322

Path traversal in native personality 'cyber_security/codeguard' causes Arbitrary File leak and overwrite of directories in lollms-webui

High

8.4

Yes

Upgrade to version 9.5

CVE-2024-5129

Privilege Escalation Vulnerability to delete any datasets in lunary

High

8.2

Yes

Upgrade to version 1.2.8

CVE-2024-3150

Default / manager user can escalate their privileges to Administrator in anything-llm

High

8.1

Yes

Upgrade to latest release

CVE-2024-4287

User with manager role is able to create new Administrator accounts in anything-llm

High

8.1

Yes

Upgrade to latest release

CVE-2024-3504

Improper access control-allow update org user to org owner in lunary

High

8.1

Yes

Upgrade to version 1.2.7

CVE-2024-2914

Tarslip that leads to arbitary file write in djl

High

7.8

Yes

Upgrade to version 0.27.0

CVE-2024-5126

Improper access control-allow update prompt that is deployed in lunary

High

7.6

Yes

Upgrade to version 1.2.25

CVE-2024-1968

Authorization header leakage on same-domain but cross-origin redirect in scrapy

High

7.5

Yes

Upgrade to version 2.11.2

CVE-2024-5130

Unauthenticated delete any dataset in lunary

High

7.5

Yes

Upgrade to version 1.2.8

CVE-2024-5131

IDOR- allow view any prompts in any projects in lunary

High

7.5

Yes

Upgrade to version 1.2.25

CVE-2024-4941

LFI in JSON component in gradio

High

7.5

Yes

Upgrade to version 4.31.4

CVE-2024-4881

Path traversal leads to read any file on the Windows platform system in lollms

High

7.5

Yes

Upgrade to version 5.9.0

CVE-2024-0088

System Shared Memory Operation Interface and Associated Logic Vulnerability - Out-of-Bounds Write in Nvidia Triton Inference Server

Medium

5.5

Yes

Upgrade to version 24.04

CVE-2024-5127

A user from free plan can invite other members assigning them any role and they are able to join the project in lunary

Medium

5.4

Yes

Upgrade to version 1.2.25

CVE-2024-5206

Unexpected Training Data Storage in sklearn.feature_extraction.text.TfidfVectorizer in scikit-learn

Medium

5.3

Yes

Upgrade to version 1.5.0

CVE-2024-4284

Denial of service by assigning specific user id in anything-llm

Medium

4.9

Yes

Upgrade to latest release

CVE-2024-4286

User modification allows for data modification in anything-llm

Medium

4.9

Yes

Upgrade to latest release

CVE-2024-21792

Insecure Temporary File Permissions in neural compressor

Medium

4.7

Yes

Upgrade to latest release

CVE-2024-0095

Log Injection in Nvidia Triton Inference Server

Medium

4.3

Yes

Upgrade to latest release

You may also like
Remote Access Firm TeamViewer Hit By Russian Intelligence Cyberattack

Security

The intrusion was restricted to internal systems, the company said.

clock 07-01-2024 • 2 min read
Surge In Global Ransomware Attacks As LockBit Returns

Security

LockBit 3.0 resurfaces as leading threat actor.

clock 06-21-2024 • 3 min read
Biden Administration Bans Kaspersky Software Over Security Concerns

Security

Commerce secretary Gina Raimondo highlighted threats to critical infrastructure, while Kaspersky plans legal action.

clock 06-21-2024 • 3 min read

More on Security

Mammoth Microsoft Patch Tuesday Fixes Four Zero-Days, Five Critical Bugs

Mammoth Microsoft Patch Tuesday Fixes Four Zero-Days, Five Critical Bugs

142 holes plugged this month

John Leonard
clock 07-12-2024 • 3 min read
Remote Access Firm TeamViewer Hit By Russian Intelligence Cyberattack

Remote Access Firm TeamViewer Hit By Russian Intelligence Cyberattack

The intrusion was restricted to internal systems, the company said.

clock 07-01-2024 • 2 min read
Google Underplaying Risk Of Compromised Extensions To Chrome

Google Underplaying Risk Of Compromised Extensions To Chrome

Half the extensions known to feature vulnerabilities in Google Chrome are still available in the Web Store two years after disclosure, claim researchers

Graeme Burton
clock 06-27-2024 • 3 min read