Artificial intelligence computing giant NVIDIA on Wednesday pushed out urgent patches for a pair of software flaws in its ChatRTX for Windows app alongside a warning that users are at risk of code execution and data tampering attacks.
According to an advisory from NVIDIA, the flaws carry a ‘high-risk’ rating and could be exploited to launch harmful code via cross-site-scripting attacks.
The security defects, flagged as CVE‑2024‑0082 and CVE-2024-0083, affect ChatRTX for Windows 0.2 and prior versions.
The raw details:
- CVE‑2024‑0082 — NVIDIA ChatRTX for Windows contains a vulnerability in the UI, where an attacker can cause improper privilege management by sending open file requests to the application. A successful exploit of this vulnerability might lead to local escalation of privileges, information disclosure, and data tampering. CVSS severity score 8.2/10.
- CVE-2024-0083 — NVIDIA ChatRTX for Windows contains a vulnerability in the UI, where an attacker can cause a cross-site scripting error by network by running malicious scripts in users’ browsers. A successful exploit of this vulnerability might lead to code execution, denial of service, and information disclosure. CVSS severity score 6.5/10
The NVIDIA ChatRTX app is used by developers and AI enthusiasts to connect PC LLMs to their own data using a popular technique known as retrieval-augmented generation (RAG).
Related: The Chaos (and Cost) of the Lapsus$ Hacking Carnage
Related: Dymium Snags $7M to Build Data Security Platform with Secure AI Chat
Related: Microsoft Catches APTs Using ChatGPT for Vuln Research
Related: NVIDIA Patches Code Execution Vulnerabilities in Graphics Driver