@blamejs/exceptd-skills 0.13.108 → 0.13.110

package/data/framework-control-gaps.json

@@ -37,6 +37,8 @@
       "CVE-2022-1471",
       "CVE-2022-36551",
       "CVE-2023-43654",
+      "CVE-2023-43791",
+      "CVE-2023-47117",
       "CVE-2023-48022",
       "CVE-2023-51449",
       "CVE-2023-6016",
@@ -101,6 +103,8 @@
       "CVE-2026-30617",
       "CVE-2026-30624",
       "CVE-2026-30625",
+      "CVE-2026-31229",
+      "CVE-2026-31230",
       "CVE-2026-33017",
       "CVE-2026-34159",
       "CVE-2026-40933",
@@ -1291,6 +1295,8 @@
       "CVE-2025-3248",
       "CVE-2025-6965",
       "CVE-2026-30623",
+      "CVE-2026-31229",
+      "CVE-2026-31230",
       "CVE-2026-33017"
     ],
     "atlas_refs": [
@@ -2128,6 +2134,8 @@
       "CVE-2025-49844",
       "CVE-2025-53773",
       "CVE-2026-30615",
+      "CVE-2026-31229",
+      "CVE-2026-31230",
       "CVE-2026-33017"
     ],
     "atlas_refs": [
@@ -2198,6 +2206,8 @@
     "opened_date": "2026-04-01",
     "evidence_cves": [
       "BUG-2026-NIGHTMARE-ECLIPSE-YELLOWKEY",
+      "CVE-2023-43791",
+      "CVE-2023-47117",
       "CVE-2025-14847",
       "CVE-2025-22226",
       "CVE-2026-43284"
@@ -2387,6 +2397,8 @@
       "CVE-2026-24213",
       "CVE-2026-24214",
       "CVE-2026-24215",
+      "CVE-2026-31229",
+      "CVE-2026-31230",
       "CVE-2026-39884",
       "CVE-2026-42208",
       "CVE-2026-45829",
@@ -2768,6 +2780,8 @@
       "CVE-2026-30617",
       "CVE-2026-30624",
       "CVE-2026-30625",
+      "CVE-2026-31229",
+      "CVE-2026-31230",
       "CVE-2026-31431",
       "CVE-2026-31635",
       "CVE-2026-32201",
@@ -3839,6 +3853,8 @@
     "evidence_cves": [
       "CVE-2022-1471",
       "CVE-2023-43654",
+      "CVE-2023-43791",
+      "CVE-2023-47117",
       "CVE-2023-48022",
       "CVE-2023-6019",
       "CVE-2023-6021",
@@ -5062,7 +5078,9 @@
       "CVE-2022-1471",
       "CVE-2022-36551",
       "CVE-2023-43654",
+      "CVE-2023-43791",
       "CVE-2023-44467",
+      "CVE-2023-47117",
       "CVE-2023-48022",
       "CVE-2023-51449",
       "CVE-2023-6016",
@@ -5132,6 +5150,8 @@
       "CVE-2026-30617",
       "CVE-2026-30624",
       "CVE-2026-30625",
+      "CVE-2026-31229",
+      "CVE-2026-31230",
       "CVE-2026-33017",
       "CVE-2026-34159",
       "CVE-2026-34926",
@@ -5178,6 +5198,8 @@
     "opened_date": "2026-05-15",
     "evidence_cves": [
       "CVE-2022-36551",
+      "CVE-2023-43791",
+      "CVE-2023-47117",
       "CVE-2023-6038",
       "CVE-2024-1709",
       "CVE-2025-25297",
@@ -5474,6 +5496,8 @@
     "status": "open",
     "opened_date": "2026-05-15",
     "evidence_cves": [
+      "CVE-2023-43791",
+      "CVE-2023-47117",
       "CVE-2023-6016",
       "CVE-2023-6038",
       "CVE-2025-3248",
@@ -5638,7 +5662,9 @@
     "opened_date": "2026-05-17",
     "evidence_cves": [
       "CVE-2022-36551",
+      "CVE-2023-43791",
       "CVE-2023-44467",
+      "CVE-2023-47117",
       "CVE-2023-51449",
       "CVE-2023-6016",
       "CVE-2023-6038",
@@ -5697,6 +5723,8 @@
       "CVE-2026-30617",
       "CVE-2026-30624",
       "CVE-2026-30625",
+      "CVE-2026-31229",
+      "CVE-2026-31230",
       "CVE-2026-33017",
       "CVE-2026-34159",
       "CVE-2026-34926",
@@ -5741,7 +5769,9 @@
       "CVE-2022-1471",
       "CVE-2022-36551",
       "CVE-2023-43654",
+      "CVE-2023-43791",
       "CVE-2023-44467",
+      "CVE-2023-47117",
       "CVE-2023-48022",
       "CVE-2023-51449",
       "CVE-2023-6016",
@@ -5809,6 +5839,8 @@
       "CVE-2026-30617",
       "CVE-2026-30624",
       "CVE-2026-30625",
+      "CVE-2026-31229",
+      "CVE-2026-31230",
       "CVE-2026-33017",
       "CVE-2026-34159",
       "CVE-2026-34926",
@@ -5889,6 +5921,8 @@
       "CVE-2024-3154",
       "CVE-2024-37052",
       "CVE-2024-37060",
+      "CVE-2026-31229",
+      "CVE-2026-31230",
       "MAL-2026-NODE-IPC-STEALER",
       "MAL-2026-RUBYGEMS-BUFFERZONECORP-SLEEPER",
       "MAL-2026-SHAI-HULUD-OSS",
@@ -6025,6 +6059,8 @@
     "opened_date": "2026-05-18",
     "evidence_cves": [
       "CVE-2020-10148",
+      "CVE-2023-43791",
+      "CVE-2023-47117",
       "CVE-2023-48022",
       "CVE-2023-6038",
       "CVE-2025-3248",

package/data/zeroday-lessons.json

@@ -4611,6 +4611,206 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2023-47117": {
+    "name": "Label Studio ORM Filter Manipulation Sensitive-Field Disclosure",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Label Studio passes user-controlled task filters into a Django ORM query without restricting referenced fields, so an attacker reads sensitive fields (password hashes, tokens) from all user accounts.",
+      "privileges_required": "none (unauthenticated field disclosure)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is Label Studio, a data-labeling / annotation platform central to ML data pipelines. The lesson: an ML data-platform API must enforce object-level authorization and never expose sensitive fields - this CVE supplies the leaked credentials in a privilege-escalation chain that ends in full account takeover."
+    },
+    "framework_coverage": {
+      "NIST-800-53-AC-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Access enforcement does not constrain which records/fields a user can read through the API."
+      },
+      "NIST-800-53-SC-28": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Sensitive fields (password hashes, tokens) are readable through the API and directly usable once leaked."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an ML data-platform API's object-level authorization and sensitive-field exposure as integrity controls whose failure yields account takeover."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 80,
+      "basis": "ML data-labeling platforms expose rich APIs over collaborative datasets; object-level authorization and serializer field allowlisting are frequently missing, and audits rarely test cross-account field reads.",
+      "theater_pattern": "ai_app_broken_object_authorization"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-106",
+        "name": "AI-APP-API-OBJECT-AUTHORIZATION-AND-FIELD-EXPOSURE",
+        "description": "An AI data-platform API (data-labeling, annotation, dataset/registry services) must enforce object-level authorization on every read and must never expose sensitive fields - secrets, session-signing keys, auth tokens, password hashes - through API responses, serializers, or user-controlled query/filter expressions. Use serializer field allowlists (never blanket model serialization), reject ORM/filter inputs that reference fields the caller is not authorized to read, scope every query to the caller's own objects, and store credentials so a read leak is not directly replayable (and rotate exposed secrets). The distinguishing test: as a low-privilege user, craft a filter/query that references another account's password hash or token, and confirm the API refuses it - a platform whose filter/serializer leaks sensitive fields lets an attacker chain disclosure into account impersonation and privilege escalation.",
+        "evidence": "https://github.com/advisories/GHSA-6hjj-gq77-j4qw",
+        "gap_closes": [
+          "NIST-800-53-AC-3",
+          "NIST-800-53-SC-28",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2026-31229": {
+    "name": "Adversarial Robustness Toolbox torch.load Model Deserialization RCE",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "ART's Kubeflow model-loading component calls torch.load() without weights_only=True, so loading a maliciously crafted model file runs arbitrary code through unsafe object-deserialization (the same weights_only gap as CVE-2025-32434, here in the defensive-ML library).",
+      "privileges_required": "none-to-low (control the loaded model / the affected CLI argument value)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is the Adversarial Robustness Toolbox (ART) - the Trusted-AI library used to DEFEND ML models against adversarial attacks. The lesson: defensive-ML tooling is code-bearing infrastructure too; a model file it loads is executable code."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No fix is published; loading an untrusted model is inherently code execution - the control is provenance + sandboxing, not patching."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No input validation distinguishes a benign model from a deserialization payload before ART loads it."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats the adversarial-robustness library's model-loading path as a privileged code-execution surface."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 82,
+      "basis": "Defensive-ML libraries are trusted by assumption and run inside ML pipelines; their model-loading and CLI-parsing paths are not treated as code-execution surfaces, and no patch is published.",
+      "theater_pattern": "untrusted_model_artifact_as_code"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-091",
+        "name": "UNTRUSTED-MODEL-ARTIFACT-LOADING",
+        "description": "Treat ML model artifacts as untrusted code: never load .keras / pickle-based models from untrusted sources, verify provenance, prefer safe formats (e.g. safetensors), and load untrusted models only in a sandboxed, network-isolated, least-privilege environment. Upgrade Keras to the fixed release (>= 3.8.0 for CVE-2025-1550; past 3.10.0 for the CVE-2025-8747 safe_mode bypass) and do not rely on safe_mode alone — it was bypassable. The distinguishing test: load an attacker-crafted .keras archive with safe_mode enabled on a sandboxed instance and confirm no code executes.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2025-1550",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2026-31230": {
+    "name": "Adversarial Robustness Toolbox CLI Argument Dynamic-Evaluation Code Execution",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "ART's Kubeflow component parses the --clip_values and --input_shape command-line arguments through an unsafe dynamic-evaluation call, so attacker-controlled argument values execute arbitrary Python (the same build-from-arguments root cause as the LlamaIndex CLI injection).",
+      "privileges_required": "none-to-low (control the loaded model / the affected CLI argument value)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is the Adversarial Robustness Toolbox (ART) - the Trusted-AI library used to DEFEND ML models against adversarial attacks. The lesson: defensive-ML tooling is code-bearing infrastructure too; its CLI must parse arguments with a safe literal parser, never a dynamic-evaluation call."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No fix is published; the control is parsing CLI arguments with a safe literal parser rather than a dynamic-evaluation call."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No input validation distinguishes a safe CLI argument value from injected code before ART evaluates it."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an ML library's CLI argument parsing as a privileged code-execution surface."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 82,
+      "basis": "Defensive-ML libraries are trusted by assumption and run inside ML pipelines; their model-loading and CLI-parsing paths are not treated as code-execution surfaces, and no patch is published.",
+      "theater_pattern": "ai_framework_cli_eval"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-100",
+        "name": "AI-FRAMEWORK-CLI-SHELL-INPUT-NEUTRALIZATION",
+        "description": "AI-framework CLIs and tools that invoke external commands must never build a shell string from user-supplied arguments or config: use argv-array execution (no shell), or neutralize input with shlex/equivalent. Upgrade llama-index-cli past 0.12.20 to the shlex-escaped release, and in any wrapper/automation pass arguments as a list rather than a shell string. The distinguishing test: pass a --files value containing shell metacharacters to a staging CLI and confirm no subcommand executes.",
+        "evidence": "https://huntr.com/bounties/19e1c67e-1d77-451d-b10b-acbe99900b22",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2023-43791": {
+    "name": "Label Studio Account Impersonation and Privilege Escalation",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Label Studio exposes information that, chained with the ORM sensitive-field leak (CVE-2023-47117), lets an attacker impersonate any account and escalate from a low-privilege user to a Django super administrator.",
+      "privileges_required": "low (a low-privilege account; the chain reaches Django superadmin)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is Label Studio, a data-labeling / annotation platform central to ML data pipelines. The lesson: an ML data-platform API must enforce object-level authorization and never expose sensitive fields - this CVE replays the leaked credentials to impersonate and escalate in a privilege-escalation chain that ends in full account takeover."
+    },
+    "framework_coverage": {
+      "NIST-800-53-AC-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Access enforcement does not constrain which records/fields a user can read through the API."
+      },
+      "NIST-800-53-SC-28": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Sensitive fields (password hashes, tokens) are readable through the API and directly usable once leaked."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an ML data-platform API's object-level authorization and sensitive-field exposure as integrity controls whose failure yields account takeover."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 82,
+      "basis": "ML data-labeling platforms expose rich APIs over collaborative datasets; object-level authorization and serializer field allowlisting are frequently missing, and audits rarely test cross-account field reads.",
+      "theater_pattern": "ai_app_broken_object_authorization"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-106",
+        "name": "AI-APP-API-OBJECT-AUTHORIZATION-AND-FIELD-EXPOSURE",
+        "description": "An AI data-platform API (data-labeling, annotation, dataset/registry services) must enforce object-level authorization on every read and must never expose sensitive fields - secrets, session-signing keys, auth tokens, password hashes - through API responses, serializers, or user-controlled query/filter expressions. Use serializer field allowlists (never blanket model serialization), reject ORM/filter inputs that reference fields the caller is not authorized to read, scope every query to the caller's own objects, and store credentials so a read leak is not directly replayable (and rotate exposed secrets). The distinguishing test: as a low-privilege user, craft a filter/query that references another account's password hash or token, and confirm the API refuses it - a platform whose filter/serializer leaks sensitive fields lets an attacker chain disclosure into account impersonation and privilege escalation.",
+        "evidence": "https://github.com/advisories/GHSA-f475-x83m-rx5m",
+        "gap_closes": [
+          "NIST-800-53-AC-3",
+          "NIST-800-53-SC-28",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2022-36551": {
     "name": "Label Studio Data Import Server-Side Request Forgery",
     "lesson_date": "2026-05-25",