Significant security vulnerabilities have been discovered across various machine learning platforms, according to SiliconAngle.
Weights and Biases' open-source Weave toolkit for generative artificial intelligence development has been impacted with a directory traversal flaw, tracked as CVE-2024-7340, which could be leveraged to facilitate unauthorized file access and privilege escalation, while ML pipeline management platform ZenML Cloud was affected by an improper access control bug enabling admin privileges, an analysis from JFrog revealed. On the other hand, both the Deep Lake database, Vanna AI, and the Mage AI server are impacted by vulnerabilities that could be exploited to achieve remote code execution. "These vulnerabilities allow attackers to hijack important servers in the organization such as ML model registries, ML databases and ML pipeline. Exploitation of some of these vulnerabilities can have a big impact on the organization — especially given the inherent post-exploitation vectors present in ML such as backdooring models to be consumed by multiple clients," said researchers.
