A critical security flaw has been disclosed in the llama_cpp_python Python bundle that could be exploited by threat actors to reach arbitrary code execution.
Tracked as CVE-2024-34359 (CVSS score: 9.7), the flaw has been codenamed Llama Drama by software program supply chain security agency Checkmarx.
“If exploited, it could enable attackers to execute arbitrary code on your technique, compromising data and operations,” security researcher Guy Nachshon claimed.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
llama_cpp_python, a Python binding for the llama.cpp library, is a well-known deal with about 3 million downloads to date, allowing builders to integrate AI designs with Python.
Security researcher Patrick Peng (retr0reg) has been credited with identifying and reporting the flaw, which has been tackled in version .2.72.
The main issue stems from the misuse of the Jinja2 template motor within just the llama_cpp_python package, enabling for server-side template injection that potential customers to remote code execution by means of a specially crafted payload.
“The exploitation of this vulnerability can lead to unauthorized actions by attackers, which include information theft, system compromise, and disruption of functions,” Checkmarx reported.
“The discovery of CVE-2024-34359 serves as a stark reminder of the vulnerabilities that can crop up at the confluence of AI and source chain security. It highlights the have to have for vigilant security procedures through the lifecycle of AI methods and their parts.”
Code Execution Flaw in PDF.js
The enhancement follows the discovery of a substantial-severity flaw in Mozilla’s PDF.js JavaScript library (CVE-2024-4367) that could enable the execution of arbitrary code.
“A kind check out was missing when handling fonts in PDF.js, which would enable arbitrary JavaScript execution in the PDF.js context,” Mozilla reported in an advisory.
Codean Labs, which characterised the flaw as an “oversight in a unique part of the font rendering code,” stated it permits an attacker to execute JavaScript code as quickly as a malware-laced PDF doc is opened in the Firefox browser.
The issue has been dealt with in Firefox 126, Firefox ESR 115.11, and Thunderbird 115.11 shipped very last week. It has also been solved in the npm module pdfjs-dist model 4.2.67 produced on April 29, 2024.
“Most wrapper libraries like react-pdf have also produced patched versions,” security researcher Thomas Rinsma mentioned. “Because some increased level PDF-connected libraries statically embed PDF.js, we suggest recursively examining your node_modules folder for documents termed pdf.js to be confident.”
Uncovered this post fascinating? Stick to us on Twitter and LinkedIn to read through much more special written content we publish.
Some components of this write-up are sourced from:
thehackernews.com