Open-source tools for artificial intelligence Setuptools, Lunary, and Netaddr were discovered to be impacted by critical vulnerabilities, all of which have already been addressed, reports SiliconAngle.
Attackers could have leveraged the issue in the Setuptools Python package — which is used to facilitate Python library management and installation in AI models — to enable arbitrary code execution via specially crafted package URLs, while the authorization bypass flaw in the Lunary developer platform for improving large language model-based apps could have been exploited to allow persistent organizational template access and modification, as well as data alteration, an analysis from Protect AI showed. On the other hand, exploitation of the server-side request forgery flaw in the Netaddr Python library for altering AI projects' network addresses could allow threat actors to evade SSRF protections and infiltrate internal networks, the study revealed. All of the vulnerabilities were discovered via the AI and machine learning bug bounty program of Protect AI.
