CVE-2025-23042 Gradio Blocked Path ACL Bypass Vulnerability

Gradio is an open-source Python package that allows quick building of demos and web application for machine learning models, API, or any arbitrary Python function. Gradio's Access Control List ACL for file paths can be bypassed by altering the letter case of a blocked file or directory path. This...

Malicious code in amzn-aws-glue-ml-libs-python (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 e5986d73558862130dbb1317c6a92532786ec34f23d4d88c8fd6273198c5ce45 This is a couple of packages with names appearing to be a library for an AWS or other service. Their only behaviour is to call home on installation or import -...

Rasa 安全漏洞

Rasa is an open source machine learning framework for automating text and speech based conversations. A security vulnerability exists in Rasa. An attacker exploiting the vulnerability can remotely execute code...

Rapid7 Extends Cloud Security Capabilities with Updates to Exposure Command

The cloud has become the backbone of modern innovation, powering everything from AI to remote work. But as organizations embrace the cloud, they also face an ever-expanding and increasingly complex attack surface. With purpose-built harvesting technology providing real-time visibility into...

Researchers Uncover Flaws in Popular Open-Source Machine Learning Frameworks

Cybersecurity researchers have disclosed multiple security flaws impacting open-source machine learning ML tools and frameworks such as MLflow, H2O, PyTorch, and MLeap that could pave the way for code execution. The vulnerabilities, discovered by JFrog, are part of a broader collection of 22...

Qualys TotalAI: The Journey from LLM Scanner to Comprehensive AI Security Solution

Embarking on the AI/ML Journey The launch of Qualys TotalAI marks a significant milestone in our journey with AI/ML. It all began in March 2024 when we ventured into the rapidly evolving AI/ML landscape and the emerging LLM ecosystem. Recognizing the potential of these technologies to revolutioni...

Why Cybercriminals Are Not Necessarily Embracing AI

As published in HackerNoon and featured as a “Top 20 Best Read Article” for AI. Introduction The rapid advancement of AI has offered powerful tools for malware detection, but it has also introduced new avenues for adversarial attacks. As an example, recently OpenAI reported threat actors abusing...

The vulnerability of the library for optimizing machine learning models in Intel Neural Compressor allows attackers to exploit it by bypassing security measures related to SQL query structures, thereby enabling them to enhance their privileges.

The vulnerability of the Intel Neural Compressor library for optimizing machine learning models is related to the lack of protective measures for SQL query structures. Exploiting this vulnerability can allow attackers to enhance their privileges remotely...

The vulnerability of the library for optimizing machine learning models in Intel Neural Compressor lies in the failure to take measures to neutralize special elements in the template creation mechanism. This allows attackers to enhance their privileges.

The vulnerability of the Intel Neural Compressor library for optimizing machine learning models is related to the lack of measures taken to neutralize special elements in the template creation mechanism. Exploiting this vulnerability can allow a remote attacker to enhance their privileges...

Polyaxon Container Escape Vulnerability

Polyaxon is an open source platform designed to simplify the lifecycle management of machine learning and deep learning projects. Polyaxon suffers from a container escape vulnerability that can be exploited by attackers to compromise the confidentiality, availability, and integrity of the system...

Polyaxon Container Escape Vulnerability (CNVD-2024-46011)

Polyaxon is an open source platform designed to simplify the lifecycle management of machine learning and deep learning projects. Polyaxon suffers from a container escape vulnerability that can be exploited by attackers to compromise the confidentiality, availability, and integrity of the system...

PYSEC-2024-224

Excessive directory permissions in MLflow leads to local privilege escalation when using sparkudf. This behavior can be exploited by a local attacker to gain elevated permissions by using a ToCToU attack. The issue is only relevant when the sparkudf MLflow API is called...

Researchers Warn of Privilege Escalation Risks in Google's Vertex AI ML Platform

Cybersecurity researchers have disclosed two security flaws in Google's Vertex machine learning ML platform that, if successfully exploited, could allow malicious actors to escalate privileges and exfiltrate models from the cloud. "By exploiting custom job permissions, we were able to escalate ou...

IBM Security ReaQta Cross-Site Scripting Vulnerability

ReaQta is an advanced endpoint security platform from IBM Security that utilizes artificial intelligence and machine learning technologies to identify, manage and automate responses to cybersecurity threats. A cross-site scripting vulnerability exists in Security ReaQta that stems from the...

Security Flaws in Popular ML Toolkits Enable Server Hijacks, Privilege Escalation

Cybersecurity researchers have uncovered nearly two dozen security flaws spanning 15 different machine learning ML related open-source projects. These comprise vulnerabilities discovered both on the server- and client-side, software supply chain security firm JFrog said in an analysis published...

Mind the Gap: How Surface Command Tackles Asset Visibility in Attack Surface Management

“Only 17% of organizations can clearly identify and inventory a majority 95% or more of their assets.” - Gartner Imagine the scenario: your organization has been exposed to a new zero-day vulnerability. You are responsible for Threat & Vulnerability Management TVM, you have asked your IT departme...

PT-2024-33683

Name of the Vulnerable Software and Affected Versions: SuiteCRM versions prior to 7.14.6 SuiteCRM versions prior to 8.7.1 Description: The issue arises from the way SuiteCRM checks PHP scripts against a blacklist of functions and methods to prevent the installation of malicious MLPs. However, thi...

Apple Opens PCC Source Code for Researchers to Identify Bugs in Cloud AI Security

Apple has publicly made available its Private Cloud Compute PCC Virtual Research Environment VRE, allowing the research community to inspect and verify the privacy and security guarantees of its offering. PCC, which Apple unveiled earlier this June, has been marketed as the "most advanced securit...

Reducing False Positives in API Security: Advanced Techniques Using Machine Learning

False positives in API security are a serious problem, often resulting in wasted results and time, missing real threats, alert fatigue, and operational disruption. Fortunately, however, emerging technologies like machine learning ML can help organizations minimize false positives and streamline t...

PT-2024-40926 · Pqcrypto · Pqcrypto

Name of the Vulnerable Software and Affected Versions: pqcrypto crate affected versions not specified Description: The pqcrypto crate has been replaced by pqcrypto-mldsa, which provides a FIPS204-compatible implementation of ML-DSA. Recommendations: At the moment, there is no information about a...