Aggregator

CVE-2009-2337 | W3bcms Gaestebuch Guestbook Module 3.0.0 index.inc.php spam_id sql injection (EDB-8396 / XFDB-49853)

Vuldb Updates
9 months 1 week ago
A vulnerability was found in W3bcms Gaestebuch Guestbook Module 3.0.0. It has been classified as critical. This affects an unknown part of the file includes/module/book/index.inc.php. The manipulation of the argument spam_id leads to sql injection. This vulnerability is uniquely identified as CVE-2009-2337. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.
vuldb.com

CVE-2015-3202 | fuse up to 2.9.3-14 fusermount LIBMOUNT_MTAB File access control (USN-2617-1 / EDB-37089)

Vuldb Updates
9 months 1 week ago
A vulnerability classified as problematic has been found in fuse up to 2.9.3-14. This affects an unknown part of the component fusermount. The manipulation of the argument LIBMOUNT_MTAB as part of Environment Variable leads to improper access controls (File). This vulnerability is uniquely identified as CVE-2015-3202. Local access is required to approach this attack. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.
vuldb.com

CVE-2015-3213 | Clutter up to 1.16.1 Gesture access control (RHSA-2015:1510 / Nessus ID 85046)

Vuldb Updates
9 months 1 week ago
A vulnerability, which was classified as problematic, was found in Clutter up to 1.16.1. This affects an unknown part of the component Gesture Handler. The manipulation leads to improper access controls. This vulnerability is uniquely identified as CVE-2015-3213. An attack has to be approached locally. There is no exploit available. It is recommended to upgrade the affected component.
vuldb.com

CVE-2015-3215 | NetKVM Windows Virtio Driver IP Packet length input validation (RHSA-2015:1043 / Nessus ID 83986)

Vuldb Updates
9 months 1 week ago
A vulnerability was found in NetKVM Windows Virtio Driver. It has been declared as critical. This vulnerability affects unknown code of the component IP Packet Handler. The manipulation of the argument length leads to improper input validation. This vulnerability was named CVE-2015-3215. Access to the local network is required for this attack. There is no exploit available. It is recommended to upgrade the affected component.
vuldb.com

CVE-2014-4703 | Nagios 2.0.2 Configuration File lib/parse_ini.c link following (EDB-33904 / Nessus ID 85469)

Vuldb Updates
9 months 1 week ago
A vulnerability, which was classified as problematic, has been found in Nagios 2.0.2. This issue affects some unknown processing in the library lib/parse_ini.c of the component Configuration File. The manipulation leads to link following. The identification of this vulnerability is CVE-2014-4703. It is possible to launch the attack on the local host. Furthermore, there is an exploit available.
vuldb.com

360独家报告:主流AI框架隐患不断,缺乏安全策略成“常态”

嘶吼
9 months 1 week ago

近日,360数字安全集团发布了一份关于大模型安全漏洞的报告,揭示了当前大模型及围绕其构建的框架和应用中存在的严重安全问题。报告显示,360近期研究发现了近40个大模型相关的安全漏洞,其中既包括二进制内存安全、Web安全等经典漏洞类型,也包含由大模型自身特性引入的综合性问题。影响范围覆盖多个知名模型服务框架及国际厂商开发的开源产品。更为严重的是,在对目前流行的框架进行审计后,发现几乎所有的框架都缺乏有效的安全保护策略

报告指出,大模型在软件设施和具体应用场景落地中面临诸多安全挑战。这些挑战涵盖了模型层安全、框架层安全和应用层安全。在模型层,攻击者可以通过数据投毒、后门植入、对抗攻击等手段,使得模型无法正常完成推理预测,或绕过安全限制,生成不当内容。而在框架层,问题则更为复杂。目前的大模型项目需求不断增长,各类开源框架层出不穷,这些框架虽然提供了完整的开发周期功能,降低了构建AI应用的门槛,但同时也打开了新的攻击面。

360对目前流行的框架进行审计后发现,几乎所有的框架都缺乏有效的安全保护策略。由于框架底层主要使用非内存安全语言进行编程,如C/C++,因此在优化算法的代码实现过程中很可能引入内存安全问题。此外,框架在接受并处理不可信数据时,也缺乏足够的校验和过滤机制,使得攻击者可以通过构造恶意数据来触发漏洞。

例如,在TensorFlow、PyTorch等国内外流行框架中,就存在因内存破坏导致的进程崩溃等问题。这些问题通常可以通过调用特定的接口函数,并传入特殊构造的数据参数来触发。然而,由于修复这些问题可能会严重影响训练效率,因此一些框架开发者并没有及时对这些问题进行修复

更为严重的是,在分布式场景下,框架的安全问题更加突出。由于分布式系统通常包含大量的计算资源和存储资源,一旦被恶意控制,将带来巨大的安全风险。可惜的是,目前几乎所有的框架都没有良好的安全策略来实现分布式场景下的安全防护。一些框架在通信过程中没有对接收的数据进行严格校验,使得攻击者可以通过发送恶意构造的数据包来触发漏洞,进而控制整个集群。

针对这些问题,360建议框架开发者应加强对安全问题的重视,投入更多精力来解决因框架设计导致的安全敞口问题。同时,用户在使用这些框架时也应保持警惕,采取必要的安全措施来保护自己的系统免受攻击。

此次发现再次提醒我们,以大模型为重要支撑的AI生态虽然拥有巨大的发展潜力,但同时也面临着复杂而繁多的风险因素。为了确保整个系统的可信、可靠、可控,我们需要将更多的精力投入在AI的安全之上,不断发现和解决潜在的安全问题,为构建更加安全、健康的AI数字环境贡献力量。

企业资讯

CVE-2019-1003002 | Pipeline Declarative Plugin up to 1.3.3 Sandbox Converter.groovy 7pk security (Advisory 152132 / EDB-46572)

Vuldb Updates
9 months 1 week ago
A vulnerability classified as critical was found in Pipeline Declarative Plugin up to 1.3.3. This vulnerability affects unknown code of the file pipeline-model-definition/src/main/groovy/org/jenkinsci/plugins/pipeline/modeldefinition/parser/Converter.groovy of the component Sandbox. The manipulation leads to 7pk security features. This vulnerability was named CVE-2019-1003002. The attack can be initiated remotely. Furthermore, there is an exploit available.
vuldb.com

RF Fortune Telling: Frequency Hopping Predictability

Security Boulevard
9 months 1 week ago

In the world of wireless communications, security vulnerabilities in implemented protocols canremain hidden behind layers of complexity. What appears secure due to the intricate nature ofRF communications may harbor fundamental weaknesses. Let’s dive into a fascinating casethat reveals how a seemingly minor cryptographic weakness in frequency hopping algorithmscan compromise an entire wireless communication stream. Understanding […]

The post RF Fortune Telling: Frequency Hopping Predictability appeared first on Praetorian.

The post RF Fortune Telling: Frequency Hopping Predictability appeared first on Security Boulevard.

Harry Hayward

CVE-2013-1950 | Red Hat rpcbind 0.2.3 libtirpc svc_dg_getargs UDP Packet resource management (EDB-26887 / Nessus ID 68830)

Vuldb Updates
9 months 1 week ago
A vulnerability was found in Red Hat rpcbind 0.2.3 and classified as critical. This issue affects the function svc_dg_getargs in the library libtirpc of the component rpcbind. The manipulation as part of UDP Packet leads to improper resource management. The identification of this vulnerability is CVE-2013-1950. The attack may be initiated remotely. Furthermore, there is an exploit available. It is recommended to apply a patch to fix this issue.
vuldb.com

Managed ad