@blamejs/exceptd-skills 0.13.97 → 0.13.99

package/data/framework-control-gaps.json

@@ -38,6 +38,9 @@
       "CVE-2023-43654",
       "CVE-2023-48022",
       "CVE-2023-51449",
+      "CVE-2023-6019",
+      "CVE-2023-6021",
+      "CVE-2024-0129",
       "CVE-2024-0132",
       "CVE-2024-11392",
       "CVE-2024-11393",
@@ -61,6 +64,7 @@
       "CVE-2025-30165",
       "CVE-2025-30202",
       "CVE-2025-32444",
+      "CVE-2025-33236",
       "CVE-2025-34291",
       "CVE-2025-49596",
       "CVE-2025-54136",
@@ -1391,6 +1395,9 @@
       "CVE-2023-50224",
       "CVE-2023-51449",
       "CVE-2023-52163",
+      "CVE-2023-6019",
+      "CVE-2023-6021",
+      "CVE-2024-0129",
       "CVE-2024-0769",
       "CVE-2024-11182",
       "CVE-2024-11392",
@@ -1479,6 +1486,7 @@
       "CVE-2025-32975",
       "CVE-2025-33053",
       "CVE-2025-33073",
+      "CVE-2025-33236",
       "CVE-2025-34026",
       "CVE-2025-34291",
       "CVE-2025-35939",
@@ -1822,6 +1830,9 @@
       "CVE-2023-44467",
       "CVE-2023-48022",
       "CVE-2023-51449",
+      "CVE-2023-6019",
+      "CVE-2023-6021",
+      "CVE-2024-0129",
       "CVE-2024-0132",
       "CVE-2024-11392",
       "CVE-2024-11393",
@@ -1849,6 +1860,7 @@
       "CVE-2025-30165",
       "CVE-2025-30202",
       "CVE-2025-32444",
+      "CVE-2025-33236",
       "CVE-2025-34291",
       "CVE-2025-38352",
       "CVE-2025-43300",
@@ -2289,6 +2301,7 @@
     "opened_date": "2026-05-13",
     "evidence_cves": [
       "CVE-2023-44467",
+      "CVE-2024-0129",
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
@@ -2304,6 +2317,7 @@
       "CVE-2025-1753",
       "CVE-2025-23254",
       "CVE-2025-30165",
+      "CVE-2025-33236",
       "CVE-2025-60455",
       "CVE-2025-64496",
       "CVE-2025-6965",
@@ -2451,6 +2465,9 @@
       "CVE-2023-50224",
       "CVE-2023-51449",
       "CVE-2023-52163",
+      "CVE-2023-6019",
+      "CVE-2023-6021",
+      "CVE-2024-0129",
       "CVE-2024-0132",
       "CVE-2024-0769",
       "CVE-2024-11182",
@@ -2542,6 +2559,7 @@
       "CVE-2025-32975",
       "CVE-2025-33053",
       "CVE-2025-33073",
+      "CVE-2025-33236",
       "CVE-2025-34026",
       "CVE-2025-34291",
       "CVE-2025-35939",
@@ -3745,6 +3763,8 @@
       "CVE-2022-1471",
       "CVE-2023-43654",
       "CVE-2023-48022",
+      "CVE-2023-6019",
+      "CVE-2023-6021",
       "CVE-2024-4889",
       "CVE-2024-6587",
       "CVE-2025-64513",
@@ -4963,6 +4983,9 @@
       "CVE-2023-44467",
       "CVE-2023-48022",
       "CVE-2023-51449",
+      "CVE-2023-6019",
+      "CVE-2023-6021",
+      "CVE-2024-0129",
       "CVE-2024-0132",
       "CVE-2024-11392",
       "CVE-2024-11393",
@@ -4988,6 +5011,7 @@
       "CVE-2025-30165",
       "CVE-2025-30202",
       "CVE-2025-32444",
+      "CVE-2025-33236",
       "CVE-2025-34291",
       "CVE-2025-49596",
       "CVE-2025-54136",
@@ -5509,6 +5533,7 @@
     "evidence_cves": [
       "CVE-2023-44467",
       "CVE-2023-51449",
+      "CVE-2024-0129",
       "CVE-2024-0132",
       "CVE-2024-11392",
       "CVE-2024-11393",
@@ -5532,6 +5557,7 @@
       "CVE-2025-30165",
       "CVE-2025-30202",
       "CVE-2025-32444",
+      "CVE-2025-33236",
       "CVE-2025-34291",
       "CVE-2025-49596",
       "CVE-2025-54136",
@@ -5594,6 +5620,9 @@
       "CVE-2023-44467",
       "CVE-2023-48022",
       "CVE-2023-51449",
+      "CVE-2023-6019",
+      "CVE-2023-6021",
+      "CVE-2024-0129",
       "CVE-2024-0132",
       "CVE-2024-11392",
       "CVE-2024-11393",
@@ -5619,6 +5648,7 @@
       "CVE-2025-30165",
       "CVE-2025-30202",
       "CVE-2025-32444",
+      "CVE-2025-33236",
       "CVE-2025-34291",
       "CVE-2025-49596",
       "CVE-2025-54136",
@@ -5922,6 +5952,8 @@
       "CVE-2022-1471",
       "CVE-2023-43654",
       "CVE-2023-48022",
+      "CVE-2023-6019",
+      "CVE-2023-6021",
       "CVE-2024-1709",
       "CVE-2024-4889",
       "CVE-2024-6587",

package/data/zeroday-lessons.json

@@ -7633,6 +7633,106 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2023-6019": {
+    "name": "Anyscale Ray Dashboard cpu_profile Command Injection RCE",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Anyscale Ray's dashboard (CWE-78 command injection via the dashboard cpu_profile parameter) lets an unauthenticated attacker execute OS commands on the dashboard host. The dashboard has no authentication by default.",
+      "privileges_required": "none (NVD AV:N / PR:N) - unauthenticated against a reachable dashboard",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The abused surface is the dashboard of Ray, a widely used distributed AI/ML compute framework. The lesson reinforces the ShadowRay one: the AI compute control plane (dashboard, job API) must authenticate every caller and never be network-exposed - a single dashboard endpoint flaw is unauthenticated RCE or arbitrary file read on the cluster. These were patched in Ray 2.8.1 (unlike the disputed Job-API ShadowRay issue)."
+    },
+    "framework_coverage": {
+      "NIST-800-53-IA-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Authentication is not enforced on the Ray dashboard; unauthenticated callers reach command/file endpoints."
+      },
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the AI compute framework's dashboard as managed, network-exposed software."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats the AI compute dashboard as an unauthenticated control plane requiring auth, input neutralization, and path containment."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 72,
+      "basis": "AI compute clusters expose dashboards on trusted-network assumptions; the dashboard's endpoints are not audited for injection / path traversal.",
+      "theater_pattern": "controlled_network_assumption"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-088",
+        "name": "AI-COMPUTE-CONTROL-PLANE-AUTHENTICATION",
+        "description": "An AI compute framework's control plane (Ray dashboard, job API, log/profile endpoints) must authenticate every caller and never be exposed to untrusted networks; 'deploy only on a trusted network' is an assumption, not a control. Upgrade Anyscale Ray to 2.8.1 or later (fixes the dashboard cpu_profile command injection and log-API LFI), bind the dashboard to loopback or front it with an authenticating proxy, and run least-privilege. The distinguishing test: from the network, hit the dashboard cpu_profile and log API unauthenticated on a staging cluster and confirm both are refused.",
+        "evidence": "https://github.com/advisories/GHSA-h3xg-wv58-5p43",
+        "gap_closes": [
+          "NIST-800-53-IA-2",
+          "NIST-800-53-SI-2",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2023-6021": {
+    "name": "Anyscale Ray Dashboard Log API Local File Inclusion",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Anyscale Ray's dashboard (CWE-22 path traversal / LFI in the dashboard log API) lets an unauthenticated attacker read arbitrary host files. The dashboard has no authentication by default.",
+      "privileges_required": "none (NVD AV:N / PR:N) - unauthenticated against a reachable dashboard",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The abused surface is the dashboard of Ray, a widely used distributed AI/ML compute framework. The lesson reinforces the ShadowRay one: the AI compute control plane (dashboard, job API) must authenticate every caller and never be network-exposed - a single dashboard endpoint flaw is unauthenticated RCE or arbitrary file read on the cluster. These were patched in Ray 2.8.1 (unlike the disputed Job-API ShadowRay issue)."
+    },
+    "framework_coverage": {
+      "NIST-800-53-IA-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Authentication is not enforced on the Ray dashboard; unauthenticated callers reach command/file endpoints."
+      },
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the AI compute framework's dashboard as managed, network-exposed software."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats the AI compute dashboard as an unauthenticated control plane requiring auth, input neutralization, and path containment."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 72,
+      "basis": "AI compute clusters expose dashboards on trusted-network assumptions; the dashboard's endpoints are not audited for injection / path traversal.",
+      "theater_pattern": "controlled_network_assumption"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-088",
+        "name": "AI-COMPUTE-CONTROL-PLANE-AUTHENTICATION",
+        "description": "An AI compute framework's control plane (Ray dashboard, job API, log/profile endpoints) must authenticate every caller and never be exposed to untrusted networks; 'deploy only on a trusted network' is an assumption, not a control. Upgrade Anyscale Ray to 2.8.1 or later (fixes the dashboard cpu_profile command injection and log-API LFI), bind the dashboard to loopback or front it with an authenticating proxy, and run least-privilege. The distinguishing test: from the network, hit the dashboard cpu_profile and log API unauthenticated on a staging cluster and confirm both are refused.",
+        "evidence": "https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023",
+        "gap_closes": [
+          "NIST-800-53-IA-2",
+          "NIST-800-53-SI-2",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2026-0766": {
     "name": "Open WebUI Tool Module Code Injection RCE",
     "lesson_date": "2026-05-25",
@@ -8333,6 +8433,106 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2025-33236": {
+    "name": "NVIDIA NeMo Framework Malicious Model Import Code Injection RCE",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "NVIDIA NeMo (CWE-94 code injection on malicious model import) executes attacker code or writes attacker files when an untrusted NeMo model is imported/loaded.",
+      "privileges_required": "ability to get a NeMo model loaded (NVD AV:L)",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The abused surface is the model-import path of NVIDIA NeMo, an LLM training/customization framework. The lesson is the same one the Keras and Hugging Face Transformers CVEs teach: a model artifact is executable code at load time, so models (and their archive formats) from untrusted sources must be treated as untrusted code - provenance, safe extraction, sandboxed loading."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the LLM training/customization framework's model-load path as RCE-bearing software."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Input validation is not applied to imported model artifacts/archives that NeMo deserializes or extracts."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an ML model artifact as untrusted executable input; loading an untrusted NeMo model is RCE."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 71,
+      "basis": "ML teams import NeMo models/checkpoints from hubs and shared stores and treat them as data; the framework's load path is assumed safe.",
+      "theater_pattern": "model_artifact_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-091",
+        "name": "UNTRUSTED-MODEL-ARTIFACT-LOADING",
+        "description": "Treat ML model artifacts as untrusted code: never load models/checkpoints from untrusted sources, verify provenance, prefer safe formats, extract archives with path validation, and load untrusted models only in a sandboxed, least-privilege environment. Upgrade NVIDIA NeMo to 2.6.1 or later. The control is the same one that closes the Keras and Hugging Face Transformers model-deserialization CVEs - the class is 'a model file is executable code'. The distinguishing test: load an attacker-crafted NeMo model on a sandboxed instance and confirm no code executes and no file is written outside the extraction directory.",
+        "evidence": "https://nvidia.custhelp.com/app/answers/detail/a_id/5762",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2024-0129": {
+    "name": "NVIDIA NeMo SaveRestoreConnector .tar Path Traversal to Code Execution",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "NVIDIA NeMo (CWE-22 path traversal via unsafe .nemo (.tar) extraction) executes attacker code or writes attacker files when an untrusted NeMo model is imported/loaded.",
+      "privileges_required": "ability to get a NeMo model loaded (NVD AV:L)",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The abused surface is the model-import path of NVIDIA NeMo, an LLM training/customization framework. The lesson is the same one the Keras and Hugging Face Transformers CVEs teach: a model artifact is executable code at load time, so models (and their archive formats) from untrusted sources must be treated as untrusted code - provenance, safe extraction, sandboxed loading."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the LLM training/customization framework's model-load path as RCE-bearing software."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Input validation is not applied to imported model artifacts/archives that NeMo deserializes or extracts."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an ML model artifact as untrusted executable input; loading an untrusted NeMo model is RCE."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 71,
+      "basis": "ML teams import NeMo models/checkpoints from hubs and shared stores and treat them as data; the framework's load path is assumed safe.",
+      "theater_pattern": "model_artifact_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-091",
+        "name": "UNTRUSTED-MODEL-ARTIFACT-LOADING",
+        "description": "Treat ML model artifacts as untrusted code: never load models/checkpoints from untrusted sources, verify provenance, prefer safe formats, extract archives with path validation, and load untrusted models only in a sandboxed, least-privilege environment. Upgrade NVIDIA NeMo to r2.0.0rc0 or later. The control is the same one that closes the Keras and Hugging Face Transformers model-deserialization CVEs - the class is 'a model file is executable code'. The distinguishing test: load an attacker-crafted NeMo model on a sandboxed instance and confirm no code executes and no file is written outside the extraction directory.",
+        "evidence": "https://nvidia.custhelp.com/app/answers/detail/a_id/5580",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2024-11393": {
     "name": "Hugging Face Transformers MaskFormer Deserialization Remote Code Execution",
     "lesson_date": "2026-05-25",