January 19, 2024 at 12:24PM
Members of the Huntr bug bounty platform discovered critical vulnerabilities in MLflow and Hugging Face. The vulnerabilities in MLflow, with a CVSS score of 10, enabled attackers to delete files, access sensitive information, or execute remote code. Hugging Face also had a flaw allowing the injection of malicious code. ClearML was also found to have a high-severity flaw allowing for the injection of malicious XSS payloads. All vulnerabilities were reported to project maintainers and subsequently resolved.
From the meeting notes:
– Huntr bug bounty platform members identified severe vulnerabilities in MLflow, ClearML, and Hugging Face.
– Four critical vulnerabilities were identified in MLflow with CVSS score of 10, patched in version 2.9.2.
– A critical-severity flaw was found in Hugging Face Transformers, resolved in version 4.36.
– A high-severity stored cross-site scripting (XSS) flaw was identified in ClearML.
– A critical-severity Paddle command injection bug (CVE-2024-0521) was reported to Protect AI.
Additionally, references to related articles and NIST’s stance on adversarial machine learning attacks were noted.