@blamejs/exceptd-skills 0.13.103 → 0.13.105

package/data/framework-control-gaps.json

@@ -38,8 +38,10 @@
       "CVE-2023-43654",
       "CVE-2023-48022",
       "CVE-2023-51449",
+      "CVE-2023-6016",
       "CVE-2023-6019",
       "CVE-2023-6021",
+      "CVE-2023-6038",
       "CVE-2024-0129",
       "CVE-2024-0132",
       "CVE-2024-11392",
@@ -50,6 +52,8 @@
       "CVE-2024-1561",
       "CVE-2024-21575",
       "CVE-2024-21576",
+      "CVE-2024-24590",
+      "CVE-2024-24591",
       "CVE-2024-27132",
       "CVE-2024-37032",
       "CVE-2024-39722",
@@ -1265,7 +1269,10 @@
     "opened_date": "2026-01-01",
     "evidence_cves": [
       "CVE-2023-43472",
+      "CVE-2023-6016",
       "CVE-2024-12366",
+      "CVE-2024-24590",
+      "CVE-2024-24591",
       "CVE-2024-5565",
       "CVE-2025-0133",
       "CVE-2025-1094",
@@ -2097,7 +2104,10 @@
     "opened_date": "2026-04-01",
     "evidence_cves": [
       "BUG-2026-NIGHTMARE-ECLIPSE-GREENPLASMA",
+      "CVE-2023-6016",
       "CVE-2024-12366",
+      "CVE-2024-24590",
+      "CVE-2024-24591",
       "CVE-2024-3154",
       "CVE-2024-5565",
       "CVE-2025-3248",
@@ -2243,6 +2253,7 @@
     "evidence_cves": [
       "CVE-2023-48022",
       "CVE-2023-51449",
+      "CVE-2023-6038",
       "CVE-2024-0132",
       "CVE-2024-1561",
       "CVE-2024-21575",
@@ -2330,6 +2341,8 @@
       "CVE-2024-12366",
       "CVE-2024-13059",
       "CVE-2024-21513",
+      "CVE-2024-24590",
+      "CVE-2024-24591",
       "CVE-2024-27132",
       "CVE-2024-37032",
       "CVE-2024-39722",
@@ -2790,6 +2803,7 @@
     "opened_date": "2026-02-01",
     "evidence_cves": [
       "BUG-2026-NIGHTMARE-ECLIPSE-UNDEFEND",
+      "CVE-2023-6016",
       "CVE-2024-12366",
       "CVE-2024-5565",
       "CVE-2025-11837",
@@ -2830,6 +2844,8 @@
     "status": "open",
     "opened_date": "2026-05-17",
     "evidence_cves": [
+      "CVE-2024-24590",
+      "CVE-2024-24591",
       "CVE-2024-3094",
       "MAL-2026-SHAI-HULUD-OSS"
     ],
@@ -5018,8 +5034,10 @@
       "CVE-2023-44467",
       "CVE-2023-48022",
       "CVE-2023-51449",
+      "CVE-2023-6016",
       "CVE-2023-6019",
       "CVE-2023-6021",
+      "CVE-2023-6038",
       "CVE-2024-0129",
       "CVE-2024-0132",
       "CVE-2024-11392",
@@ -5032,6 +5050,8 @@
       "CVE-2024-21575",
       "CVE-2024-21576",
       "CVE-2024-21762",
+      "CVE-2024-24590",
+      "CVE-2024-24591",
       "CVE-2024-27132",
       "CVE-2024-37032",
       "CVE-2024-39722",
@@ -5121,6 +5141,7 @@
     "status": "open",
     "opened_date": "2026-05-15",
     "evidence_cves": [
+      "CVE-2023-6038",
       "CVE-2024-1709",
       "CVE-2025-3248",
       "CVE-2026-33017",
@@ -5415,6 +5436,8 @@
     "status": "open",
     "opened_date": "2026-05-15",
     "evidence_cves": [
+      "CVE-2023-6016",
+      "CVE-2023-6038",
       "CVE-2025-3248",
       "CVE-2026-33017",
       "CVE-2026-6973"
@@ -5578,6 +5601,8 @@
     "evidence_cves": [
       "CVE-2023-44467",
       "CVE-2023-51449",
+      "CVE-2023-6016",
+      "CVE-2023-6038",
       "CVE-2024-0129",
       "CVE-2024-0132",
       "CVE-2024-11392",
@@ -5590,6 +5615,8 @@
       "CVE-2024-21575",
       "CVE-2024-21576",
       "CVE-2024-21762",
+      "CVE-2024-24590",
+      "CVE-2024-24591",
       "CVE-2024-27132",
       "CVE-2024-37032",
       "CVE-2024-39722",
@@ -5672,8 +5699,10 @@
       "CVE-2023-44467",
       "CVE-2023-48022",
       "CVE-2023-51449",
+      "CVE-2023-6016",
       "CVE-2023-6019",
       "CVE-2023-6021",
+      "CVE-2023-6038",
       "CVE-2024-0129",
       "CVE-2024-0132",
       "CVE-2024-11392",
@@ -5686,6 +5715,8 @@
       "CVE-2024-21575",
       "CVE-2024-21576",
       "CVE-2024-21762",
+      "CVE-2024-24590",
+      "CVE-2024-24591",
       "CVE-2024-27132",
       "CVE-2024-37032",
       "CVE-2024-39722",
@@ -5803,6 +5834,8 @@
     "status": "open",
     "opened_date": "2026-05-17",
     "evidence_cves": [
+      "CVE-2024-24590",
+      "CVE-2024-24591",
       "CVE-2024-3154",
       "MAL-2026-NODE-IPC-STEALER",
       "MAL-2026-RUBYGEMS-BUFFERZONECORP-SLEEPER",
@@ -5941,6 +5974,7 @@
     "evidence_cves": [
       "CVE-2020-10148",
       "CVE-2023-48022",
+      "CVE-2023-6038",
       "CVE-2025-3248",
       "CVE-2025-55241",
       "CVE-2026-24206",
@@ -6013,8 +6047,10 @@
       "CVE-2022-1471",
       "CVE-2023-43654",
       "CVE-2023-48022",
+      "CVE-2023-6016",
       "CVE-2023-6019",
       "CVE-2023-6021",
+      "CVE-2023-6038",
       "CVE-2024-1709",
       "CVE-2024-4889",
       "CVE-2024-6587",

package/data/zeroday-lessons.json

@@ -4361,6 +4361,206 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2024-24590": {
+    "name": "ClearML Client SDK Artifact Deserialization Remote Code Execution",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "ClearML's client SDK reconstructs stored experiment artifacts through an unsafe object-deserialization routine on retrieval, so a maliciously uploaded artifact runs arbitrary code on the retrieving user's system.",
+      "privileges_required": "low-to-none (upload access to a shared project; victim must retrieve the artifact - UI:R)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is the MLOps / experiment-tracking layer that moves artifacts and datasets between data scientists. The lesson: an MLOps platform is a supply-chain channel - uploaded artifacts are untrusted code/file payloads and must never be auto-deserialized or extracted without containment."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No input validation is applied to an uploaded artifact before the MLOps SDK deserializes it."
+      },
+      "NIST-800-53-SR-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Supply-chain controls do not treat MLOps experiment artifacts as untrusted third-party content moving between collaborators."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an MLOps platform's uploaded artifacts as an untrusted code-delivery surface."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 80,
+      "basis": "MLOps platforms are deployed for collaboration on trusted-team assumptions; their artifact/dataset retrieval paths are not treated as untrusted-content boundaries.",
+      "theater_pattern": "mlops_artifact_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-104",
+        "name": "MLOPS-EXPERIMENT-ARTIFACT-TRUST-BOUNDARY",
+        "description": "An MLOps / experiment-tracking platform (ClearML, and the class: Weights & Biases, MLflow artifact stores, model registries) must treat every uploaded artifact and dataset as untrusted third-party content, because these platforms move artifacts between collaborators automatically. On retrieval the client SDK must NOT reconstruct artifacts through an unsafe object-deserialization routine (use a safe loader / explicit schema, or sandbox the deserialization), and must constrain dataset extraction to a contained directory (reject absolute and ../ traversal entries). Run the SDK least-privilege and only pull from trusted projects. The distinguishing test: upload an artifact carrying a deserialization-gadget payload and a dataset with a ../ entry to a staging project, retrieve them from a separate client, and confirm neither runs code nor writes outside the cache directory - a 'secured MLOps' posture that still auto-deserializes or extracts uploaded content without containment is exposed.",
+        "evidence": "https://hiddenlayer.com/innovation-hub/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/",
+        "gap_closes": [
+          "NIST-800-53-SI-10",
+          "NIST-800-53-CM-7",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2023-6016": {
+    "name": "H2O-3 POJO Model Import Unauthenticated Remote Code Execution",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "H2O-3's dashboard / REST API exposes an unauthenticated POJO (Java) model-import feature that compiles and runs the imported model code, so an unauthenticated attacker imports a malicious model and gains remote code execution on the host.",
+      "privileges_required": "none (unauthenticated)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is H2O-3, an open-source ML/AutoML platform. The lesson: an ML platform's control plane is a privileged surface - model import runs code, so it must authenticate and reject untrusted model artifacts; a 'trusted environment' deployment assumption is not a control."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Flaw remediation does not track the ML platform's model-import feature; the vendor treats H2O-3 as trusted-environment-only, so no fix ships."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No input validation distinguishes a trusted model from attacker code at the unauthenticated model-import endpoint."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an ML platform's model-import feature as a privileged code-execution surface - a model artifact is executable code."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 82,
+      "basis": "H2O-3 is deployed for data-science productivity on trusted-network assumptions; its dashboard / REST API is frequently exposed without authentication, and the vendor ships no fix (trusted-environment-by-design).",
+      "theater_pattern": "ai_platform_trusted_environment_assumption"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-091",
+        "name": "UNTRUSTED-MODEL-ARTIFACT-LOADING",
+        "description": "Treat ML model artifacts as untrusted code: never load .keras / pickle-based models from untrusted sources, verify provenance, prefer safe formats (e.g. safetensors), and load untrusted models only in a sandboxed, network-isolated, least-privilege environment. Upgrade Keras to the fixed release (>= 3.8.0 for CVE-2025-1550; past 3.10.0 for the CVE-2025-8747 safe_mode bypass) and do not rely on safe_mode alone — it was bypassable. The distinguishing test: load an attacker-crafted .keras archive with safe_mode enabled on a sandboxed instance and confirm no code executes.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2025-1550",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2023-6038": {
+    "name": "H2O-3 REST API Unauthenticated Local File Inclusion (Arbitrary File Read)",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "H2O-3's REST API exposes a file-import path with no authorization check, so an unauthenticated remote attacker reads arbitrary files on the host with the H2O-3 process's permissions (Local File Inclusion).",
+      "privileges_required": "none (unauthenticated)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is H2O-3, an open-source ML/AutoML platform. The lesson: an ML platform's control plane is a privileged surface - its REST API must authenticate every endpoint; a 'trusted environment' deployment assumption is not a control."
+    },
+    "framework_coverage": {
+      "NIST-800-53-IA-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The H2O-3 REST API does not authenticate callers before serving a file-import path; 'trusted environment' is assumed, not enforced."
+      },
+      "NIST-800-53-SC-7": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Boundary protection does not treat the unauthenticated ML-platform REST API as an exposed surface."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework requires authenticating every endpoint of an ML platform's control plane / REST API."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 80,
+      "basis": "H2O-3 is deployed for data-science productivity on trusted-network assumptions; its dashboard / REST API is frequently exposed without authentication, and the vendor ships no fix (trusted-environment-by-design).",
+      "theater_pattern": "ai_platform_trusted_environment_assumption"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-088",
+        "name": "AI-COMPUTE-CONTROL-PLANE-AUTHENTICATION",
+        "description": "An AI compute framework's job/control API must authenticate every caller; 'deploy only on a trusted network' is an assumption, not a control, and must not substitute for authentication. Enable Ray token authentication (2.52.0+), never expose the dashboard / Job Submission API to untrusted networks, front it with an authenticating proxy, and treat any internet-exposed cluster as compromised (rotate model artifacts and cloud credentials). The distinguishing test: from the public internet, attempt to reach the Ray dashboard (default 8265) and submit a job unauthenticated on a staging cluster; it must be refused.",
+        "evidence": "https://atlas.mitre.org/studies/AML.CS0023",
+        "gap_closes": [
+          "NIST-800-53-IA-2",
+          "NIST-800-53-SC-7",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2024-24591": {
+    "name": "ClearML Client SDK Dataset Path Traversal Arbitrary File Write",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "ClearML's client SDK writes dataset entries without path containment on retrieval, so a maliciously uploaded dataset with absolute / ../ entries writes files to arbitrary locations on the retrieving user's system (escalating to code execution by overwriting startup/config files).",
+      "privileges_required": "low-to-none (upload access to a shared project; victim must retrieve the artifact - UI:R)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is the MLOps / experiment-tracking layer that moves artifacts and datasets between data scientists. The lesson: an MLOps platform is a supply-chain channel - uploaded artifacts are untrusted code/file payloads and must never be auto-deserialized or extracted without containment."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No path validation is applied to dataset entries before the MLOps SDK extracts them."
+      },
+      "NIST-800-53-CM-7": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Least-functionality is not enforced: dataset extraction writes entries without containing them to the cache directory."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an MLOps platform's uploaded datasets as an untrusted file-write surface."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 78,
+      "basis": "MLOps platforms are deployed for collaboration on trusted-team assumptions; their artifact/dataset retrieval paths are not treated as untrusted-content boundaries.",
+      "theater_pattern": "mlops_artifact_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-104",
+        "name": "MLOPS-EXPERIMENT-ARTIFACT-TRUST-BOUNDARY",
+        "description": "An MLOps / experiment-tracking platform (ClearML, and the class: Weights & Biases, MLflow artifact stores, model registries) must treat every uploaded artifact and dataset as untrusted third-party content, because these platforms move artifacts between collaborators automatically. On retrieval the client SDK must NOT reconstruct artifacts through an unsafe object-deserialization routine (use a safe loader / explicit schema, or sandbox the deserialization), and must constrain dataset extraction to a contained directory (reject absolute and ../ traversal entries). Run the SDK least-privilege and only pull from trusted projects. The distinguishing test: upload an artifact carrying a deserialization-gadget payload and a dataset with a ../ entry to a staging project, retrieve them from a separate client, and confirm neither runs code nor writes outside the cache directory - a 'secured MLOps' posture that still auto-deserializes or extracts uploaded content without containment is exposed.",
+        "evidence": "https://hiddenlayer.com/innovation-hub/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/",
+        "gap_closes": [
+          "NIST-800-53-SI-10",
+          "NIST-800-53-CM-7",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2026-33017": {
     "name": "Langflow Public Flow-Build Endpoint Unauthenticated Remote Code Execution",
     "lesson_date": "2026-05-25",