Lucene search

GitHub Advisory DatabaseGHSA-7GFQ-F96F-G85J

HistoryAug 22, 2023 - 9:30 p.m.

langchain vulnerable to arbitrary code execution

2023-08-2221:30:27

CWE-94

GitHub Advisory Database

github.com

langchain

arbitrary code execution

remote attacker

json file

load_prompt parameter

vulnerability

software

__subclasses__

template

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.7

Confidence

High

EPSS

0.031

Percentile

91.2%

JSON

An issue in langchain v.0.0.171 allows a remote attacker to execute arbitrary code via the via the a json file to the load_prompt parameter. This is related to __subclasses__ or a template.

Affected configurations

Vulners

Node

langchainlangchainRange<0.0.312

VendorProductVersionCPE
langchainlangchain*cpe:2.3:a:langchain:langchain:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
langchain	langchain	*	cpe:2.3:a:langchain:langchain::::::::

References

aisec.today/LangChain-2e6244a313dd46139c5ef28cbcab9e55

github.com/advisories/GHSA-7gfq-f96f-g85j

github.com/hwchase17/langchain/issues/4394

github.com/langchain-ai/langchain/commit/22abeb9f6cc555591bf8e92b5e328e43aa07ff6c

github.com/langchain-ai/langchain/pull/10252

github.com/langchain-ai/langchain/releases/tag/v0.0.312

github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-151.yaml

nvd.nist.gov/vuln/detail/CVE-2023-36281

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.7

Confidence

High

EPSS

0.031

Percentile

91.2%

JSON

Related for GHSA-7GFQ-F96F-G85J