Breaking
December 23, 2024

Open source machine learning systems are highly vulnerable to security threats udinmwenefosa@gmail.com (Efosa Udinmwen) | usagoldmines.com

  • MLflow identified as most vulnerable open-source ML platform
  • Directory traversal flaws allow unauthorized file access in Weave
  • ZenML Cloud’s access control issues enable privilege escalation risks

Recent analysis of the security landscape of machine learning (ML) frameworks has revealed ML software is subject to more security vulnerabilities than more mature categories like DevOps or Web servers.

The growing adoption of machine learning across industries highlights the critical need to secure ML systems, as vulnerabilities can lead to unauthorized access, data breaches, and compromised operations.

The report from JFrog claims ML projects such as MLflow have seen an increase in critical vulnerabilities. Over the last few months, JFrog has uncovered 22 vulnerabilities across 15 open source ML projects. Among these vulnerabilities, two categories stand out: threats targeting server-side components and risks of privilege escalation within ML frameworks.

Critical vulnerabilities in ML frameworks

The vulnerabilities identified by JFrog affect key components often used in ML workflows, which could allow attackers to exploit tools which are often trusted by ML practitioners for their flexibility, to gain unauthorized access to sensitive files or to elevate privileges within ML environments.

One of the highlighted vulnerabilities involves Weave, a popular toolkit from Weights & Biases (W&B), which aids in tracking and visualizing ML model metrics. The WANDB Weave Directory Traversal vulnerability (CVE-2024-7340) enables low-privileged users to access arbitrary files across the filesystem.

This flaw arises due to improper input validation when handling file paths, potentially allowing attackers to view sensitive files that could include admin API keys or other privileged information. Such a breach could lead to privilege escalation, giving attackers unauthorized access to resources and compromising the security of the entire ML pipeline.

ZenML, an MLOps pipeline management tool, is also affected by a critical vulnerability that compromises its access control systems. This flaw allows attackers with minimal access privileges to elevate their permissions within ZenML Cloud, a managed deployment of ZenML, thereby accessing restricted information, including confidential secrets or model files.

The access control issue in ZenML exposes the system to significant risks, as escalated privileges could enable an attacker to manipulate ML pipelines, tamper with model data, or access sensitive operational data, potentially impacting production environments reliant on these pipelines.

Another serious vulnerability, known as the Deep Lake Command Injection (CVE-2024-6507), was found in the Deep Lake database – a data storage solution optimized for AI applications. This vulnerability permits attackers to execute arbitrary commands by exploiting how Deep Lake handles external dataset imports.

Due to improper command sanitization, an attacker could potentially achieve remote code execution, compromising the security of both the database and any connected applications.

A notable vulnerability was also found in Vanna AI, a tool designed for natural language SQL query generation and visualization. The Vanna.AI Prompt Injection (CVE-2024-5565) allows attackers to inject malicious code into SQL prompts, which the tool subsequently processes. This vulnerability, which could lead to remote code execution, allows malicious actors to target Vanna AI’s SQL-to-graph visualization feature to manipulate visualizations, execute SQL injections, or exfiltrate data.

Mage.AI, an MLOps tool for managing data pipelines, has been found to have multiple vulnerabilities, including unauthorized shell access, arbitrary file leaks, and weak path traversal checks.

These issues allow attackers to gain control over data pipelines, expose sensitive configurations, or even execute malicious commands. The combination of these vulnerabilities presents a high risk of privilege escalation and data integrity breaches, compromising the security and stability of ML pipelines.

By gaining admin access to ML databases or registries, attackers can embed malicious code in models, leading to backdoors that activate upon model load. This can compromise downstream processes as the models are utilized by various teams and CI/CD pipelines. The attackers can also exfiltrate sensitive data or conduct model poisoning attacks to degrade model performance or manipulate outputs.

JFrog’s findings highlight an operational gap in MLOps security. Many organizations lack robust integration of AI/ML security practices with broader cybersecurity strategies, leaving potential blind spots. As ML and AI continue to drive significant industry advancements, safeguarding the frameworks, datasets, and models that fuel these innovations becomes paramount.

You might also like

​ 

This articles is written by : Nermeen Nabil Khear Abdelmalak

All rights reserved to : USAGOLDMIES . www.usagoldmines.com

You can Enjoy surfing our website categories and read more content in many fields you may like .

Why USAGoldMines ?

USAGoldMines is a comprehensive website offering the latest in financial, crypto, and technical news. With specialized sections for each category, it provides readers with up-to-date market insights, investment trends, and technological advancements, making it a valuable resource for investors and enthusiasts in the fast-paced financial world.

Recent:

The Apple Vision Pro’s Ultrawide Mac Virtual Display is something you have to see to believe jacob.k...
NYT Strands today — my hints, answers and spangram for Monday, December 23 (game #295) | usagoldmin...
NYT Connections today — my hints and answers for Monday, December 23 (game #561) | usagoldmines.com
Quordle today – my hints and answers for Monday, December 23 (game #1064) | usagoldmines.com
From lab to life - atomic-scale memristors pave the way for brain-like AI and next-gen computing pow...
New Androxgh0st botnet targets vulnerabilities in IoT devices and web applications via Mozi integrat...
TrueNAS device vulnerabilities exposed during hacking competition udinmwenefosa@gmail.com (Efosa Udi...
Could this be Dell's fastest laptop ever built? Dell Pro Max 18 Plus set to have 'RTX 5000 class' GP...
Google TV users are getting even more free channels in time for the holidays | usagoldmines.com
Apple 'Not' Working on New AirPort, But Apple TV and HomePod Provide Glimmer of Hope Joe Rossignol |...
iOS 19 Rumored to Be Compatible With These iPhones Joe Rossignol | usagoldmines.com
Need a last-minute gift card? 20 compelling options for tech and beyond | usagoldmines.com
How to know if a USB cable is hiding malicious hacker hardware | usagoldmines.com
Samsung’s gigantic 8TB portable SSD just dropped to its best price | usagoldmines.com
Apple Rumored to Launch Smart Home Doorbell With Face ID and More Joe Rossignol | usagoldmines.com
Apple Reportedly Working on AirPods Pro 3 With Heart Rate Feature Joe Rossignol | usagoldmines.com
New leak says if your iPhone can run iOS 18, it should be able to run iOS 19 too | usagoldmines.com
Leaders pushing for AI investment are gaining competitive advantages udinmwenefosa@gmail.com (Efosa ...
Ars Technica’s top 20 video games of 2024 Kyle Orland | usagoldmines.com
Human versus autonomous car race ends before it begins Roberto Baldwin | usagoldmines.com
European data centers are having to delay carbon reduction goals and rethink sustainability plans ud...
Everything new on Netflix in January 2025 rowan.davies@futurenet.com (Rowan Davies) | usagoldmines.c...
Google Whisk is a new way to create AI visuals using image prompts –here's how to try it | usagoldm...
New Year, new Microsoft Office! Last chance to save 20% | usagoldmines.com
Stop squinting at your tiny screen and get this gorgeous portable monitor | usagoldmines.com
These are the companies using AI-driven dynamic pricing the most - and the top users probably won't ...
Synology patches critical vulnerabilities, urges users to update devices against zero-click attacks ...
Apple Now Offering Free Two-Hour Delivery on Last-Minute Gifts Joe Rossignol | usagoldmines.com
Apple Preparing iOS 18.2.1 Update for iPhone Joe Rossignol | usagoldmines.com
NYT Strands today — my hints, answers and spangram for Sunday, December 22 (game #294) | usagoldmin...
NYT Connections today — my hints and answers for Sunday, December 22 (game #560) | usagoldmines.com
Quordle today – my hints and answers for Sunday, December 22 (game #1063) | usagoldmines.com
OnePlus Watch 3: Upgrades Include Rotating Bezel and ECG Support Tim | usagoldmines.com
New 'HomePod' With 7-Inch Display, A18 Chip, and More Reportedly Launching Next Year Joe Rossignol |...
This new compact mini PC can support Intel 12th to 14th Gen processors and up to 96 GB DDR5 RAM udin...
CAMM2 memory modules promise significant advancements in memory technology with impressive read and ...
We may have to wait longer for the OnePlus Open 2 than we thought | usagoldmines.com
'Copper’s time has run out': Nvidia, AMD and TSMC have invested millions in a startup which may hold...
Popular Microsoft Office rival targets billion user milestone as it brings together office software,...
Fake parcel delivery texts are the fastest-growing phishing scam this holiday season – here’s how to...
Apple TV Plus: how to sign up, price, TV shows, movies, devices, and more tom.power@futurenet.com (T...
Today's the Last Day to Order From Apple for December 24th Delivery in the U.S. Juli Clover | usagol...
Best Apple Deals of the Week: Record Low Prices Return for AirTag, iPad, and MacBook Air Mitchel Bro...
More Galaxy S25 specs leak – and we might know just how thin the S25 Slim version is | usagoldmines...
Top Stories: iPhone 17 Designs, Foldable iPad or MacBook, and More MacRumors Staff | usagoldmines.co...
Green sea turtle gets relief from “bubble butt” syndrome thanks to 3D printing Jacek Krywko | usagol...
Samsung's rival has debuted new storage tech that offers a super-fast, high-capacity flash memory fo...
Exploring an undersea terrain sculpted by glaciers and volcanoes Ashley Balzer Vigil | usagoldmines....
Yellowjackets season 3: release date, cast, trailer and more news and rumors about the hit Paramount...
Real Excel pros master these fundamentals | usagoldmines.com
This $33 lifetime VPN won’t be available much longer | usagoldmines.com
ICYMI: the week's 7 biggest tech stories, from Meta smart glasses leaks to Superman's dog and ChatGP...
Chinese researchers repurpose Meta's Llama model for military intelligence applications udinmwenefos...
Microsoft Copilot Vision is the perfect holiday shopping buddy, and it’s finally here erichs211@gmai...
Four-Packs of AirTags Are $30 Off Right Now Daniel Oropeza | usagoldmines.com
Bluesky’s Latest Update Makes It Harder for Someone to Take Your Name Pranay Parab | usagoldmines.co...
12 Days of OpenAI ends with a new model for the new year erichs211@gmail.com (Eric Hal Schwartz) | u...
Only 15% of Steam users have played games released in 2024, but why? allisa.james@futurenet.com (All...
Going to Disney World? Don’t miss this free, immersive Star Wars Galaxy’s Edge experience jacob.krol...
NYT Strands today — my hints, answers and spangram for Saturday, December 21 (game #293) | usagoldm...
NYT Connections today — my hints and answers for Saturday, December 21 (game #559) | usagoldmines.c...
Quordle today – my hints and answers for Saturday, December 21 (game #1062) | usagoldmines.com
These Are My Favorite (Edible and Non-Edible) Food Discoveries of 2024 Allie Chanthorn Reinmann | us...
Google Is Working on AI-Powered Scam Detection for Chrome Jake Peterson | usagoldmines.com
Samsung Is Giving You a Lot of Control Over Your Galaxy's Display Jake Peterson | usagoldmines.com
Seven Services You (Probably) Don’t Need to Pay Someone to Do Jeff Somers | usagoldmines.com
Top 5 Apple Products to Look Forward to in 2025 Juli Clover | usagoldmines.com
12 days of OpenAI: The Ars Technica recap Benj Edwards | usagoldmines.com
Best live TV streaming service: YouTube TV vs Sling TV vs Hulu + Live TV and the rest | usagoldmine...
Best USB-C cables 2024: Get quality charging and data transfers | usagoldmines.com
Best laptops for engineering students 2024: Expert picks and advice | usagoldmines.com
My Favorite Cookies Come From Baking Scraps Beth Skwarecki | usagoldmines.com
Google Has a Hidden 'Squid Game' You Can Play Right Now Jake Peterson | usagoldmines.com
How to Blanch Vegetables (and Why You'll Want To) Allie Chanthorn Reinmann | usagoldmines.com
OpenAI announces o3 and o3-mini, its next simulated reasoning models Benj Edwards | usagoldmines.com
Rocket Report: ULA has a wild idea; Starliner crew will stay in orbit even longer Stephen Clark | us...
Horizon: Zero Dawn gets the graphical remaster a modern classic deserves Nate Anderson | usagoldmine...
Best monitor deals: Sweet holiday sales on OLED, gaming displays, and more | usagoldmines.com
Best holiday tech deals on Amazon: Save big with expert-curated picks | usagoldmines.com
Last-Minute Gift Ideas If Your Only Option Is the Drug Store Meredith Dietz | usagoldmines.com
The Ikarao Shell S1 Is Almost the Perfect Portable Karaoke Speaker Daniel Oropeza | usagoldmines.com
Amazon Discounts USB-C AirPods Max to $499.99 ($49 Off) Mitchel Broussard | usagoldmines.com
Asus just launched two business monitors with a unique feature I think all display manufacturers sho...
Man who claims he invented bitcoin faces prison after filing $1.1 trillion suit Jon Brodkin | usagol...
Startup set to brick $800 kids robot is trying to open source it first Scharon Harding | usagoldmine...
The Best Gifts for Avid Readers (That Aren't Books) Lindsey Ellefson | usagoldmines.com
15 Christmas Movies You Definitely Shouldn't Watch With Your Family Ross Johnson | usagoldmines.com
Lenovo's upcoming Legion Go S is likely using SteamOS, as Valve is coming to its CES 2025 event alli...
Google Chrome is testing a new AI tool that scans for scams to help save you from online trickery |...
The next two FIFA Women’s World Cups will only air on Netflix Scharon Harding | usagoldmines.com
Samsung’s pro-speed 512GB microSD card is now 50% off | usagoldmines.com
Level up your parties with this PartyBox speaker, now 33% off | usagoldmines.com
Next Galaxy Unpacked Event Appears Scheduled for January 22 Tim | usagoldmines.com
DEAL: Galaxy Tab S10 Ultra Just $199 After Heavy Discounts ($1000 Off!) Tim | usagoldmines.com
Meta Ray-Ban's Celebrity Voices, Rated from Least to Most Annoying Stephen Johnson | usagoldmines.co...
The Microsoft Surface Pro 11 Is Almost the Perfect Tablet-Laptop Hybrid David Nield | usagoldmines.c...
The MacRumors Show: Every Apple Product Coming in 2025 Hartley Charlton | usagoldmines.com
'Ice Dive' Apple Vision Pro Immersive Video Now Available Juli Clover | usagoldmines.com
It's been a huge year for criminals stealing cryptocurrency - and North Korea was largely to blame ...
Bluesky just made it harder for someone to steal your name, but verification is still a challenge la...

Leave a Reply