TLDR:
- A critical security flaw has been discovered in the llama_cpp_python Python package, allowing for arbitrary code execution.
- An oversight in the PDF.js JavaScript library used by Firefox could lead to the execution of arbitrary code when opening PDF documents.
A critical security flaw has been disclosed in the llama_cpp_python Python package that could be exploited by threat actors to achieve arbitrary code execution. Tracked as CVE-2024-34359 (CVSS score: 9.7), the flaw has been codenamed Llama Drama by software supply chain security firm Checkmarx. The vulnerability stems from the misuse of the Jinja2 template engine, allowing for server-side template injection that leads to remote code execution.
Another code execution flaw was found in Mozilla’s PDF.js JavaScript library (CVE-2024-4367), which could allow attackers to execute arbitrary code as soon as a malware-laced PDF document is opened in the Firefox browser. The issue has been addressed in recent versions of Firefox and Thunderbird, as well as in the npm module pdfjs-dist.
Full Article:
A critical security flaw has been disclosed in the llama_cpp_python Python package that could be exploited by threat actors to achieve arbitrary code execution. Tracked as CVE-2024-34359 (CVSS score: 9.7), the flaw has been codenamed Llama Drama by software supply chain security firm Checkmarx. “If exploited, it could allow attackers to execute arbitrary code on your system, compromising data and operations,” security researcher Guy Nachshon said. llama_cpp_python, a Python binding for the llama.cpp library, is a popular package with over 3 million downloads to date, allowing developers to integrate AI models with Python. Security researcher Patrick Peng (retr0reg) has been credited with discovering and reporting the flaw, which has been addressed in version 0.2.72. The core issue stems from the misuse of the Jinja2 template engine within the llama_cpp_python package, allowing for server-side template injection that leads to remote code execution by means of a specially crafted payload. “The exploitation of this vulnerability can lead to unauthorized actions by attackers, including data theft, system compromise, and disruption of operations,” Checkmarx said.
The development follows the discovery of a high-severity flaw in Mozilla’s PDF.js JavaScript library (CVE-2024-4367) that could allow the execution of arbitrary code. “A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context,” Mozilla said in an advisory. Codean Labs, which characterized the flaw as an “oversight in a specific part of the font rendering code,” said it permits an attacker to execute JavaScript code as soon as a malware-laced PDF document is opened in the Firefox browser.