close search bar

Sorry, not available in this language yet

close language selection

CyRC Vulnerability Advisory: CVE-2024-5185 Data Poisoning Vulnerability in EmbedAI Application

Mohammed Alshehri

May 28, 2024 / 1 min read

Table of Contents

Overview

The Synopsys Cybersecurity Research Center (CyRC) has exposed a data poisoning vulnerability in the EmbedAI application. EmbedAI allows users to interact with documents by utilizing the capabilities of large language models (LLMs).

This vulnerability could result in an application becoming compromised, leading to unauthorized entries or data poisoning attacks. These attacks are enabled by a cross-site request forgery (CSRF) vulnerability created by the absence of a secure session management implementation and weak cross-origin resource-sharing policies.

Exploitation

An attacker can direct a user to a malicious webpage that exploits a CSRF vulnerability within the EmbedAI application. By leveraging this CSRF vulnerability, the attacker can deceive the user into inadvertently uploading and integrating incorrect data into the application’s language model.

Affected software
  • EmbedAI "main" branch

Impact

Exploitation of this vulnerability could affect the immediate functioning of the model and can have long-lasting effects on its credibility and the security of the systems that rely on it. This can manifest in various ways, including the spread of misinformation, introduction of biases, degradation of performance, and potential for denial-of-service attacks.

  • CVSS base score: 7.3 (High)
  • CVSS 3.1 vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Remediation

The CyRC reached out to the developers but has not received a response within the 90-day timeline dictated by our responsible disclosure policy. The CyRC recommends removing the applications from networks immediately.

Discovery credit

This vulnerability was discovered by Mohammed Alshehri, a security researcher at Synopsys.

Timeline
  • February 26, 2024: Initial contact attempt
  • April 4, 2024: Second contact attempt
  • May 1, 2024: Final contact attempt
  • May 3, 2024: Synopsys confirms disclosure to SamurAI
  • May 29, 2024: Advisory published by Synopsys
References

https://github.com/SamurAIGPT/EmbedAI

About CVSS

FIRST.Org, Inc (FIRST) is a non-profit organization based out of US that owns and manages CVSS. It is not required to be a member of FIRST to utilize or implement CVSS but FIRST does require any individual or organization give appropriate attribution while using CVSS. FIRST also states that any individual or organization that publishes scores follow the guideline so that anyone can understand how the score was calculated.

Continue Reading

CyRC Vulnerability Advisory: CVE-2024-5184s prompt injection in EmailGPT service
Blog
1 min read / Jun 05, 2024

CyRC Vulnerability Advisory: CVE-2024-5184s prompt injection in EmailGPT service

Mohammed Alshehri
By Mohammed Alshehri
Tags: Software Integrity, Security News & Trends, CyRC
Read Article
CyRC Vulnerability Advisory: CVE-2024-5185 Data Poisoning Vulnerability in EmbedAI Application
Blog
1 min read / May 28, 2024

CyRC Vulnerability Advisory: CVE-2024-5185 Data Poisoning Vulnerability in EmbedAI Application

Mohammed Alshehri
By Mohammed Alshehri
Tags: Software Integrity, Security News & Trends, CyRC
Read Article
Clearlake Capital Group and Francisco Partners reach agreement to purchase the Software Integrity Group
Blog
1 min read / May 08, 2024

Clearlake Capital Group and Francisco Partners reach agreement to purchase the Software Integrity Group

Jason Schmitt
By Jason Schmitt
Tags: Software Integrity, Security News & Trends
Read Article

Explore Topics

Agile, CI/CD
AppSec Best Practices
Artificial Intelligence
Automotive
Build Security into DevOps
Cloud Security
Compliance
Container Security
CyRC
DevSecOps
DAST
Financial Services
Fuzzing
Healthcare
IAST
Internet of Things
M&A
Manage Security Risks
Medical Devices
Mobile
Orchestration & Correlation
OSS License Compliance
Pen Testing
Program Strategy & Planning
Public Sector
SAST
SCA
Secure the Software Supply Chain
Security News & Trends
Threat Modeling
Threat & Risk Assessment
Training
Web Application Security