AVID-2023-V028

Vulnerability from avid – Published: 2023-03-31 – Updated: 2023-03-31 LLM Evaluation
Summary
Frameworks like langchain (Python) and boxcars.ai (Ruby) offer apps and scripts to directly execute queries through LLMs as a built-in feature. In the context of boxcars.ai, this makes it really easy to perform remote code execution or SQL injection. All you have to do is ask politely! See the references for more details.
Risk domain
Ethics
SEP view
S0100: Software Vulnerability, S0201: Model Compromise, S0301: Information Leak, S0202: Software Compromise, S0601: Ingest Poisoning
Lifecycle
L04: Model Development, L05: Evaluation, L06: Deployment
Organisations
OpenAI (deployer), boxcars.ai (deployer), OpenAI (developer)
Affected artifacts
Artifact Type
ChatGPT System
boxcars.ai System
References
URL Label
https://blog.luitjes.it/posts/injectgpt-most-poli… InjectGPT: the most polite exploit ever
https://www.reddit.com/r/netsec/comments/121gpay/… Reddit thread on InjectGPT

{
  "affects": {
    "artifacts": [
      {
        "name": "ChatGPT",
        "type": "System"
      },
      {
        "name": "boxcars.ai",
        "type": "System"
      }
    ],
    "deployer": [
      "OpenAI",
      "boxcars.ai"
    ],
    "developer": [
      "OpenAI"
    ]
  },
  "credit": [
    {
      "lang": "eng",
      "value": "Lucas Luitjes, N/A"
    }
  ],
  "data_type": "AVID",
  "data_version": "0.2",
  "description": {
    "lang": "eng",
    "value": "Frameworks like langchain (Python) and boxcars.ai (Ruby) offer apps and scripts to directly execute queries through LLMs as a built-in feature. In the context of boxcars.ai, this makes it really easy to perform remote code execution or SQL injection. All you have to do is ask politely! \nSee the references for more details."
  },
  "impact": {
    "avid": {
      "lifecycle_view": [
        "L04: Model Development",
        "L05: Evaluation",
        "L06: Deployment"
      ],
      "risk_domain": [
        "Ethics"
      ],
      "sep_view": [
        "S0100: Software Vulnerability",
        "S0201: Model Compromise",
        "S0301: Information Leak",
        "S0202: Software Compromise",
        "S0601: Ingest Poisoning"
      ],
      "taxonomy_version": "0.2"
    }
  },
  "last_modified_date": "2023-03-31",
  "metadata": {
    "vuln_id": "AVID-2023-V028"
  },
  "problemtype": {
    "classof": "LLM Evaluation",
    "description": {
      "lang": "eng",
      "value": "It is possible to make ChatGPT perform remote code execution just by asking politely"
    },
    "type": "Advisory"
  },
  "published_date": "2023-03-31",
  "references": [
    {
      "label": "InjectGPT: the most polite exploit ever",
      "type": "source",
      "url": "https://blog.luitjes.it/posts/injectgpt-most-polite-exploit-ever/"
    },
    {
      "label": "Reddit thread on InjectGPT",
      "type": "source",
      "url": "https://www.reddit.com/r/netsec/comments/121gpay/injectgpt_remote_code_execution_by_asking_nicely/"
    }
  ],
  "reports": [
    {
      "name": "It is possible to make ChatGPT perform remote code execution just by asking politely",
      "report_id": "AVID-2023-R0004",
      "type": "Advisory"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…