@blamejs/exceptd-skills 0.13.84 → 0.13.86

package/data/framework-control-gaps.json

@@ -34,8 +34,12 @@
     "status": "open",
     "opened_date": "2026-01-01",
     "evidence_cves": [
+      "CVE-2022-1471",
+      "CVE-2023-43654",
       "CVE-2023-48022",
       "CVE-2024-0132",
+      "CVE-2024-37032",
+      "CVE-2024-39722",
       "CVE-2024-42478",
       "CVE-2024-42479",
       "CVE-2024-50050",
@@ -1346,6 +1350,7 @@
       "CVE-2021-39935",
       "CVE-2021-43226",
       "CVE-2021-43798",
+      "CVE-2022-1471",
       "CVE-2022-20775",
       "CVE-2022-37055",
       "CVE-2022-40799",
@@ -1360,6 +1365,7 @@
       "CVE-2023-39780",
       "CVE-2023-41974",
       "CVE-2023-43000",
+      "CVE-2023-43654",
       "CVE-2023-50224",
       "CVE-2023-52163",
       "CVE-2024-0769",
@@ -1369,7 +1375,9 @@
       "CVE-2024-21762",
       "CVE-2024-27199",
       "CVE-2024-27443",
+      "CVE-2024-37032",
       "CVE-2024-37079",
+      "CVE-2024-39722",
       "CVE-2024-42009",
       "CVE-2024-42478",
       "CVE-2024-42479",
@@ -1767,8 +1775,12 @@
     "status": "open",
     "opened_date": "2026-03-15",
     "evidence_cves": [
+      "CVE-2022-1471",
+      "CVE-2023-43654",
       "CVE-2023-48022",
       "CVE-2024-0132",
+      "CVE-2024-37032",
+      "CVE-2024-39722",
       "CVE-2024-42478",
       "CVE-2024-42479",
       "CVE-2024-50050",
@@ -2207,6 +2219,8 @@
     "status": "open",
     "opened_date": "2026-05-13",
     "evidence_cves": [
+      "CVE-2024-37032",
+      "CVE-2024-39722",
       "CVE-2024-50050",
       "CVE-2025-0133",
       "CVE-2025-1094",
@@ -2336,6 +2350,7 @@
       "CVE-2021-39935",
       "CVE-2021-43226",
       "CVE-2021-43798",
+      "CVE-2022-1471",
       "CVE-2022-20775",
       "CVE-2022-37055",
       "CVE-2022-40799",
@@ -2351,6 +2366,7 @@
       "CVE-2023-39780",
       "CVE-2023-41974",
       "CVE-2023-43000",
+      "CVE-2023-43654",
       "CVE-2023-50224",
       "CVE-2023-52163",
       "CVE-2024-0132",
@@ -2361,7 +2377,9 @@
       "CVE-2024-21762",
       "CVE-2024-27199",
       "CVE-2024-27443",
+      "CVE-2024-37032",
       "CVE-2024-37079",
+      "CVE-2024-39722",
       "CVE-2024-42009",
       "CVE-2024-42478",
       "CVE-2024-42479",
@@ -3623,6 +3641,8 @@
     "status": "open",
     "opened_date": "2026-05-13",
     "evidence_cves": [
+      "CVE-2022-1471",
+      "CVE-2023-43654",
       "CVE-2023-48022",
       "CVE-2026-24206",
       "CVE-2026-24207"
@@ -4833,9 +4853,13 @@
     "status": "open",
     "opened_date": "2026-05-15",
     "evidence_cves": [
+      "CVE-2022-1471",
+      "CVE-2023-43654",
       "CVE-2023-48022",
       "CVE-2024-0132",
       "CVE-2024-21762",
+      "CVE-2024-37032",
+      "CVE-2024-39722",
       "CVE-2024-42478",
       "CVE-2024-42479",
       "CVE-2024-50050",
@@ -5359,6 +5383,8 @@
     "evidence_cves": [
       "CVE-2024-0132",
       "CVE-2024-21762",
+      "CVE-2024-37032",
+      "CVE-2024-39722",
       "CVE-2024-42478",
       "CVE-2024-42479",
       "CVE-2024-50050",
@@ -5420,9 +5446,13 @@
     "status": "open",
     "opened_date": "2026-05-17",
     "evidence_cves": [
+      "CVE-2022-1471",
+      "CVE-2023-43654",
       "CVE-2023-48022",
       "CVE-2024-0132",
       "CVE-2024-21762",
+      "CVE-2024-37032",
+      "CVE-2024-39722",
       "CVE-2024-42478",
       "CVE-2024-42479",
       "CVE-2024-50050",
@@ -5725,6 +5755,8 @@
     "opened_date": "2026-05-18",
     "evidence_cves": [
       "CVE-2020-10148",
+      "CVE-2022-1471",
+      "CVE-2023-43654",
       "CVE-2023-48022",
       "CVE-2024-1709",
       "CVE-2026-20182",

package/data/zeroday-lessons.json

@@ -7333,6 +7333,206 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2023-43654": {
+    "name": "PyTorch TorchServe Management API SSRF to Remote Code Execution (ShellTorch)",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "PyTorch TorchServe Management API SSRF to Remote Code Execution (ShellTorch): CWE-918 SSRF in the management API. In the ShellTorch chain, an unauthenticated, network-exposed TorchServe management API accepts a remote model configuration and parses it with an unsafe YAML deserializer, yielding full remote code execution on the model server.",
+      "privileges_required": "none (NVD PR:N) — default-configured TorchServe is open and unauthenticated",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The abused surface is an AI model server (TorchServe, maintained by Amazon and Meta) and the libraries it bundles. The lesson: a model server's management API is a privileged control plane that must authenticate, bind to loopback, and never deserialize untrusted config unsafely — Oligo found thousands of exposed instances at major organizations, so the default-open posture is the real-world exposure."
+    },
+    "framework_coverage": {
+      "NIST-800-53-IA-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Authentication is not enforced on the model server's management API; the default deployment is open and network-exposed."
+      },
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track AI model servers and their bundled deserialization libraries as managed, RCE-bearing software."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats the model server's management API + config deserialization as an untrusted, RCE-bearing surface."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 74,
+      "basis": "Model servers are deployed with default-open management planes on trusted-network assumptions; bundled YAML/deserialization libraries are not tracked.",
+      "theater_pattern": "default_open_management_plane"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-093",
+        "name": "AI-MODEL-SERVER-MANAGEMENT-API-HARDENING",
+        "description": "An AI model server's management API must authenticate every caller, bind to loopback (not all interfaces) by default, restrict model sources to an allow-list (no fetching configs/archives from arbitrary URLs), and parse configuration with safe deserializers (SafeConstructor / no arbitrary type instantiation). Upgrade TorchServe 0.8.2+ and bind the management API to loopback with authentication. The distinguishing test: from an unauthenticated remote client, attempt to register a model from an attacker URL against a staging model server and confirm it is refused and no remote content is fetched or deserialized.",
+        "evidence": "https://github.com/pytorch/serve/security/advisories/GHSA-8fxr-qfr9-p34w",
+        "gap_closes": [
+          "NIST-800-53-IA-2",
+          "NIST-800-53-SI-2",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2024-37032": {
+    "name": "Ollama Model Registry Path Traversal Arbitrary File Write RCE (Probllama)",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Ollama CWE-22 path traversal via unvalidated model-blob digest: an attacker reaching the Ollama HTTP API (default port 11434) manipulates a path/digest the runtime then uses against the filesystem, writing attacker content to an arbitrary path and achieving RCE.",
+      "privileges_required": "low / network (NVD PR:L) — reachable via the Ollama API + a rogue registry",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The abused surface is the model-pull / model API of the most widely used local LLM runtime. The lesson: the model-runtime API must validate digests and path parameters and must never be network-exposed to untrusted clients; pulling from untrusted registries is a supply-chain trust decision."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the local-LLM runtime as managed, network-exposed software."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Input validation is not applied to model-blob digests / API path parameters in the runtime."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats the model-runtime API's path/digest handling as untrusted input reaching the filesystem."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 72,
+      "basis": "Local-LLM runtimes are run on trusted-network assumptions and rarely tracked; model pulls from arbitrary registries are not gated.",
+      "theater_pattern": "ai_supply_chain_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-094",
+        "name": "AI-RUNTIME-API-PATH-TRAVERSAL-VALIDATION",
+        "description": "The model-runtime API must validate path-bearing inputs (model-blob digests must be exactly 64-hex SHA256; API route parameters must reject traversal sequences) before touching the filesystem, must not be exposed to untrusted networks (Ollama default port 11434), and must only pull models from trusted registries. Upgrade Ollama to 0.1.34 or later. The distinguishing test: point a staging Ollama at a rogue registry whose manifest carries a traversal digest, and send api/push requests with ../ sequences, and confirm both are rejected without filesystem access.",
+        "evidence": "https://www.wiz.io/blog/probllama-ollama-vulnerability-cve-2024-37032",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2024-39722": {
+    "name": "Ollama api/push Path Traversal File-Existence Disclosure",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Ollama CWE-22 path traversal on the api/push route: an attacker reaching the Ollama HTTP API (default port 11434) manipulates a path/digest the runtime then uses against the filesystem, disclosing which files exist on the host.",
+      "privileges_required": "none (NVD PR:N) — unauthenticated",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The abused surface is the model-pull / model API of the most widely used local LLM runtime. The lesson: the model-runtime API must validate digests and path parameters and must never be network-exposed to untrusted clients; pulling from untrusted registries is a supply-chain trust decision."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the local-LLM runtime as managed, network-exposed software."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Input validation is not applied to model-blob digests / API path parameters in the runtime."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats the model-runtime API's path/digest handling as untrusted input reaching the filesystem."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 68,
+      "basis": "Local-LLM runtimes are run on trusted-network assumptions and rarely tracked; model pulls from arbitrary registries are not gated.",
+      "theater_pattern": "ai_supply_chain_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-094",
+        "name": "AI-RUNTIME-API-PATH-TRAVERSAL-VALIDATION",
+        "description": "The model-runtime API must validate path-bearing inputs (model-blob digests must be exactly 64-hex SHA256; API route parameters must reject traversal sequences) before touching the filesystem, must not be exposed to untrusted networks (Ollama default port 11434), and must only pull models from trusted registries. Upgrade Ollama to 0.1.46 or later. The distinguishing test: point a staging Ollama at a rogue registry whose manifest carries a traversal digest, and send api/push requests with ../ sequences, and confirm both are rejected without filesystem access.",
+        "evidence": "https://www.oligo.security/blog/more-models-more-probllms",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2022-1471": {
+    "name": "SnakeYAML Constructor Unsafe Deserialization RCE (ShellTorch chain)",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "SnakeYAML Constructor Unsafe Deserialization RCE (ShellTorch chain): CWE-502 unsafe YAML deserialization. In the ShellTorch chain, an unauthenticated, network-exposed TorchServe management API accepts a remote model configuration and parses it with an unsafe YAML deserializer, yielding full remote code execution on the model server.",
+      "privileges_required": "none for services parsing untrusted YAML (NVD PR:N; CNA Google PR:L)",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The abused surface is an AI model server (TorchServe, maintained by Amazon and Meta) and the libraries it bundles. The lesson: a model server's management API is a privileged control plane that must authenticate, bind to loopback, and never deserialize untrusted config unsafely — Oligo found thousands of exposed instances at major organizations, so the default-open posture is the real-world exposure."
+    },
+    "framework_coverage": {
+      "NIST-800-53-IA-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Authentication is not enforced on the model server's management API; the default deployment is open and network-exposed."
+      },
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track AI model servers and their bundled deserialization libraries as managed, RCE-bearing software."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats the model server's management API + config deserialization as an untrusted, RCE-bearing surface."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "Model servers are deployed with default-open management planes on trusted-network assumptions; bundled YAML/deserialization libraries are not tracked.",
+      "theater_pattern": "default_open_management_plane"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-093",
+        "name": "AI-MODEL-SERVER-MANAGEMENT-API-HARDENING",
+        "description": "An AI model server's management API must authenticate every caller, bind to loopback (not all interfaces) by default, restrict model sources to an allow-list (no fetching configs/archives from arbitrary URLs), and parse configuration with safe deserializers (SafeConstructor / no arbitrary type instantiation). Upgrade SnakeYAML 2.0+ (SafeConstructor default) or construct parsers with SafeConstructor. The distinguishing test: from an unauthenticated remote client, attempt to register a model from an attacker URL against a staging model server and confirm it is refused and no remote content is fetched or deserialized.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471",
+        "gap_closes": [
+          "NIST-800-53-IA-2",
+          "NIST-800-53-SI-2",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2025-34291": {
     "name": "Langflow Account Takeover + RCE (CORS / refresh-token chain)",
     "lesson_date": "2026-05-24",