Summary: Multiple vulnerabilities have been discovered in Jan AI, an open-source alternative to ChatGPT, which could allow remote attackers to exploit the system without authentication, according to security platform Snyk. The issues include arbitrary file write capabilities and remote code execution risks due to insufficient protections. Menlo Research has since addressed these vulnerabilities and issued several CVEs in response.
Affected: Jan AI developed by Menlo Research
Keypoints :
- Vulnerabilities could be exploited by remote, unauthenticated attackers to manipulate systems.
- Issues include arbitrary file write due to a lack of sanitization in upload functions, and out-of-order parsing errors.
- Remote code execution (RCE) risk through the Cortex.cppβs Python engine could allow attackers to inject payloads into model configurations.
- Four CVEs were issued, addressing various weaknesses including CSRF protection and command injection vulnerabilities.
Source: https://www.securityweek.com/vulnerabilities-expose-jan-ai-systems-to-remote-manipulation/
Views: 4