Critical Flaw in AI Python Package Can Lead to System and Data Compromise

A critical vulnerability discovered recently in a Python package used by AI application developers can allow arbitrary code execution, putting systems and data at risk.
The issue, discovered by researcher Patrick Peng, is tracked as CVE-2024-34359 and it has been dubbed Llama Drama.
Cybersecurity firm Checkpoint on Thursday published a blog post describing the vulnerability and its impact.
CVE-2024-34359 is related to the Jinja2 template rendering Python tool, which is mainly used for generating HTML, and the llama cpp python package, which is used for integrating AI models with Python.
Llama cpp python uses Jinja2 for processing model metadata, but failed to use certain safeguards, enabling template injection attacks.
According to the security firm, the vulnerability can be exploited for arbitrary code execution on systems that use the affected Python package.
The company found that more than 6,000 AI models on the Hugging Face AI community that use llama cpp python and Jinja2 are impacted.
The vulnerability has been patched with the release of llama cpp python 0.2.72.

This Cyber News was published on packetstormsecurity.com. Publication date: Sat, 18 May 2024 08:43:05 +0000

Cyber News related to Critical Flaw in AI Python Package Can Lead to System and Data Compromise

How to perform a proof of concept for automated discovery using Amazon Macie | AWS Security Blog - After reviewing the managed data identifiers provided by Macie and creating the custom data identifiers needed for your POC, it’s time to stage data sets that will help demonstrate the capabilities of these identifiers and better understand how ...
7 months ago Aws.amazon.com

Python 2 EOL: Coping with Legacy System Challenges - Python 2.7 was the last major version in the 2.x series of this software language, which was launched on July 3, 2010 and was officially maintained and supported until January 1, 2020. At that point, when the Python 2 EOL phase began, the legacy ...
1 year ago Securityboulevard.com

DPython's Poisoned Package: Another 'Blank Grabber' Malware in PyPI - Python Package Index is a platform that offers an extensive range of packages to simplify and enhance the development process. Malicious actors regularly upload phishing packages in the platform's repository aimed at delivering malware to steal the ...
1 year ago Imperva.com

Critical Flaw in AI Python Package Can Lead to System and Data Compromise - A critical vulnerability discovered recently in a Python package used by AI application developers can allow arbitrary code execution, putting systems and data at risk. The issue, discovered by researcher Patrick Peng, is tracked as CVE-2024-34359 ...
11 months ago Packetstormsecurity.com CVE-2024-34359

Python in Threat Intelligence: Analyzing and Mitigating Cyber Threats - In the world of emerging cybersecurity threats, understanding the significance of threat intelligence is crucial and can not be ignored. Threat intelligence involves the systematic collection, analysis, and application of data to understand potential ...
1 year ago Hackread.com

Critical Apache Log4j2 flaw still threatens global finance - Critical Apache Log4j2 flaw still threatens global finance. CISA adds Apache Flink flaw to its Known Exploited Vulnerabilities catalog. CISA adds GitLab flaw to its Known Exploited Vulnerabilities catalog. Russia-linked APT28 used post-compromise ...
11 months ago Securityaffairs.com CVE-2022-38028 CVE-2023-49103 CVE-2023-20198 CVE-2023-40044 APT28 Rocke

Critical unauthenticated RCE flaw in OpenSSH server - MUST READ. Critical unauthenticated remote code execution flaw in OpenSSH server. Expert released PoC exploit code for Veeam Backup Enterprise Manager flaw CVE-2024-29849. CISA adds Oracle WebLogic Server flaw to its Known Exploited Vulnerabilities ...
10 months ago Securityaffairs.com CVE-2024-29849 CVE-2023-49103 CVE-2023-20198 CVE-2023-38831 Rocke

116 Malicious PyPI Packages Downloaded Over 10,000 Times - A cluster of malicious Python projects has been identified in PyPI, the official Python PyPI package repository, which targets both Windows and Linux systems and often deploys a custom backdoor. In certain instances, the ultimate payload consists of ...
1 year ago Cybersecuritynews.com

Juniper Networks fixed a critical authentication bypass flaw in some of its routers - MUST READ. Threat actors actively exploit D-Link DIR-859 router flaw CVE-2024-0769. CISA adds Oracle WebLogic Server flaw to its Known Exploited Vulnerabilities catalog. Russia-linked APT28 used post-compromise tool GooseEgg to exploit CVE-2022-38028 ...
10 months ago Securityaffairs.com CVE-2024-0769 CVE-2022-38028 CVE-2024-0204 CVE-2023-49103 CVE-2023-38831 CVE-2023-40044 APT28 Rocke

Python JSON Logger Vulnerability Allows Remote Code Execution - PoC Released - The researcher identified that the python-json-logger package declared a dependency named msgspec-python313-pre in its pyproject.toml file, but this dependency was not present on PyPI and not registered by any entity. When users install ...
1 month ago Cybersecuritynews.com CVE-2025-27607

CVE-2021-32807 - The module `AccessControl` defines security policies for Python code used in restricted code within Zope applications. Restricted code is any code that resides in Zope's object database, such as the contents of `Script (Python)` objects. The ...
2 years ago

Malicious NPM, PyPI Packages Stealing User Information - Check Point and Phylum are warning of recently identified NPM and PyPI packages designed to steal user information and download additional payloads. Taking advantage of the broad use of open source code in application development, malicious actors ...
2 years ago Securityweek.com

Patch Now: Attackers Pummel Critical, Easy-to-Exploit OwnCloud Flaw - Hackers are actively exploiting a critical flaw in the open source ownCloud platform that allows access to access admin passwords, mail server credentials, and license keys, exposing their enterprise to data breaches or other types of malicious ...
1 year ago Darkreading.com CVE-2023-49103 CVE-2023-49105 CVE-2023-49104

Hackers Employ DLL Side-Loading To Deliver Malicious Python Code - DLL side-loading exploits the Windows DLL search order mechanism, where attackers place malicious DLL files in locations where legitimate applications will load them instead of the intended legitimate libraries. The technique enables attackers to ...
1 month ago Cybersecuritynews.com

9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
1 year ago Esecurityplanet.com

North Korean Hackers Employs Social Engineering Tactics & Python Script - The attackers employ a dual approach: meticulously crafted social engineering schemes combined with elegantly disguised Python code to gain initial access to target systems. Behind the scenes, the code establishes connections to command and control ...
4 weeks ago Cybersecuritynews.com

Malicious PyPI packages targeting highly specific MacOS machines - As part of our software package supply chain security efforts, we continuously scan for malware in newly released PyPI and NPM packages. In this post, we describe a particularly interesting cluster of malicious packages that we've identified. In late ...
11 months ago Securitylabs.datadoghq.com

High-severity flaw affects Cisco Firepower Management Center - CISA adds GitLab flaw to its Known Exploited Vulnerabilities catalog. CISA adds Cisco ASA and FTD and CrushFTP VFS flaws to its Known Exploited Vulnerabilities catalog. Critical Fortinet's FortiClient EMS flaw actively exploited in the wild. Hackers ...
11 months ago Securityaffairs.com CVE-2020-3259 CVE-2024-23897 CVE-2024-0204 CVE-2023-20198 CVE-2023-38831 Rocke

CVE-2023-26154 - Versions of the package pubnub before 7.4.0; all versions of the package com.pubnub:pubnub; versions of the package pubnub before 6.19.0; all versions of the package github.com/pubnub/go; versions of the package github.com/pubnub/go/v7 before 7.2.0; ...
1 year ago Tenable.com

10 of the biggest zero-day attacks of 2023 - Here are 10 of the biggest zero-day attacks of 2023 in chronological order. Zero-day attacks started strong in 2023 with CVE-2023-0669, a pre-authentication command injection vulnerability in Fortra's GoAnywhere managed file transfer product. ...
1 year ago Techtarget.com CVE-2023-0669 CVE-2023-34362 CVE-2023-36884 CVE-2023-4863 CVE-2023-41992 CVE-2023-41991 CVE-2023-41993 CVE-2023-22515

CVE-2022-33684 - The Apache Pulsar C++ Client does not verify peer TLS certificates when making HTTPS calls for the OAuth2.0 Client Credential Flow, even when tlsAllowInsecureConnection is disabled via configuration. This vulnerability allows an attacker to perform a ...
2 years ago

Building a Sustainable Data Ecosystem - Finally, I outline future research and policy refinement directions, advocating for a collaborative and responsible approach to building a sustainable data ecosystem in generative AI. In recent years, generative AI has emerged as a transformative ...
1 year ago Feeds.dzone.com

Decoding the data dilemma: Strategies for effective data deletion in the age of AI - Businesses today have a tremendous opportunity to use data in new ways, but they must also look at what data they keep and how they use it to avoid potential legal issues. Forrester predicts a doubling of unstructured data in 2024, driven in part by ...
1 year ago Venturebeat.com

CVE-2023-40587 - Pyramid is an open source Python web framework. A path traversal vulnerability in Pyramid versions 2.0.0 and 2.0.1 impacts users of Python 3.11 that are using a Pyramid static view with a full filesystem path and have a `index.html` file that is ...
1 year ago

Critical Flaw in AI Python Package Can Lead to System and Data Compromise

Cyber News related to Critical Flaw in AI Python Package Can Lead to System and Data Compromise

Latest Cyber News

Cyber Trends (last 7 days)

Trending Cyber News (last 7 days)