Huge Flaw Found in AI Python Package 

Sources: 

https://www.securityweek.com/critical-flaw-in-ai-python-package-can-lead-to-system-and-data-compromise/

https://checkmarx.com/blog/llama-drama-critical-vulnerability-cve-2024-34359-threatening-your-software-supply-chain/

Patrick Peng recently discovered a flaw within the AI Python library  'llama-cpp-python' (used for integrating AI models with Python) and it has been identified as CVE-2024-34359The issue is that there is not proper security implemented in handling chat templates using 'jinja2'. Jinja2 is a library and is a popular tool within python, and is very powerful when used correctly. But Jinja2 was not implemented correctly, which resulted in the CVE-2024-34359 flaw.

This vulnerability allows hackers to execute arbitrary code on that system running the library, potentially allowing for attackers to control that system. This can also lead to data theft and system compromise, affecting both personal information or data from large organizations.

Over 6.000 AI models on the popular and trusted Hugging Face platform were affected, putting an emphasis on how many businesses and companies could've been affected.. This vulnerability was been resolved with the new release of llama_cpp_python 0.2.72. 

This incident proves just how important it is to have extra security measures, and carefully managing software dependencies. It also raises concerns on the trustworthiness of websites that many people use and download from.

Comments

Post a Comment

Popular posts from this blog

Major Tech Outage On July 19th, 2024 a global tech outage occurred. This outage hit many different types of businesses anywhere from airlines to small businesses. The culprit of this major outage was a software update for Microsoft Windows. This update was issued from a company called CrowdStrike, and the reason for the update was for the company's cybersecurity. CrowdStrike is a company that provides businesses with preventing security breaches, and is a major provider, with more than 500 customers on the Fortune 1000 list. Multiple people reached out to me personally, and let me know their own workplace has been affected. The major outage that occurred in places all over the world is said to not be an attack, but it leaves me wondering if that is true or not. You can find probably over a hundred articles on this topic, but here are a couple articles that I used.  https://www.theverge.com/2024/7/19/24201864/crowdstrike-outage-explained-microsoft-windows-bsod https://www.cnn.com/bu...
Read more
 AT&T Cyberattack Today July 12, 2024, AT&T came out with an announcement that data has been breached from almost all customers of the giant brand. The attack occurred in 2022 and lasted over five months. The data leak impacted around 109 million accounts. I believe the number of people affected could be around 200 million, because usually there is more than one phone on an account. AT&T does not believe the data leaked is publicly available, and they state that "the data does not contain the content of calls or texts, personal information such as Social Security numbers, dates of births, or other personally identifiable information." But I find that last statement hard to believe. AT&T also said the data compromised includes calls and texts, which contradicts other statements they have made. This means people can see texts and the phone number associated with those texts, and then go online to find out whose number that is. This data breach calls attention to...
Read more
 Cybersecurity Budgets Are On The Rise I found an article stating corporate cybersecurity budgets have increased almost 60 percent just this year. You can thank the rise of cyber threats, as well as the increase in the desire for artificial intelligence for this budget increase. Out of the organizations in this research, 61 percent said they have experienced a cybersecurity incident within the past two years. More than half the organizations state the budget increase is based on the proven effectiveness for reducing security incidents, as well as assessing risks and threats that those organization face. These methods to find better security practices also costed an average of 26 million dollars per company.  These numbers show the importance of the need to keep up with the fast changing world of technology. With new ways of attacking a company coming with new technology, as well as the rise of AI. You can read the article here: https://www.cfodive.com/news/60-corporate-cy...
Read more