CCC.GenAI.TH07: Insecure Plugin
Threat ID:CCC.GenAI.TH07
Title:Insecure Plugin
Description:
A plugin integrated with a GenAI model may contain vulnerabilities such as poor input validation or improper access control. An adversary may exploit these flaws by crafting a prompt that causes the model to pass a malicious payload to the plugin, potentially leading to system compromise, data exfiltration or privilege escalation.
Related Capabilities
| ID | Title | Description |
|---|---|---|
| CCC.GenAI.F25 | Plugin Integrations | Ability for the model to use tools to complete a model interaction. For example web search, python code execution or external maths engine. |
External Mappings
| Reference ID | Entry ID | Strength | Remarks |
|---|---|---|---|
SAIF | IIC | 0 | Insecure Integrated Component |
OWASP-LLM-TOP10 | LLLM07 | 0 | Insecure Plugin Design |
MITRE-ATLAS | AML.T0053 | 0 | LLM Plugin Compromise |
Controls
| ID | Title | Objective | Control Family | Threat Mappings | Guideline Mappings | Assessment Requirements |
|---|---|---|---|---|---|---|
| CCC.GenAI.C06 | Least Privilege for Plugins | Restricts the permissions of any external tools the GenAI system can call to limit the potential damage if an agent is coerced to perform unintended actions or vulnerabilities in the tools are exploited. | Identity and Access Management | 2 | 1 | 1 |