May 17, 2024 at 09:57AM
A critical vulnerability, tracked as CVE-2024-34359 and named Llama Drama, was discovered in a Python package used by AI developers. The flaw allows for arbitrary code execution, posing a risk to systems and data. Cybersecurity firm Checkpoint detailed the issue, and a patch has been released with llama_cpp_python 0.2.72. More than 6,000 AI models are affected.
Based on the meeting notes, here are the key takeaways:
– A critical vulnerability, tracked as CVE-2024-34359 and dubbed Llama Drama, was discovered in a Python package used by AI application developers.
– The vulnerability is related to the Jinja2 template rendering Python tool and the llama_cpp_python package, which is used for integrating AI models with Python.
– Llama_cpp_python uses Jinja2 for processing model metadata, but failed to use certain safeguards, enabling template injection attacks.
– The vulnerability can be exploited for arbitrary code execution on systems that use the affected Python package, impacting more than 6,000 AI models on the Hugging Face AI community.
– The vulnerability has been patched with the release of llama_cpp_python 0.2.72.
Please let me know if you need any additional information.