Lucene search
HistorySep 17, 2024 - 12:15 p.m.
CVE-2024-5998
vulnerability
faiss.deserialize_from_bytes
langchain-ai/langchain
pickle deserialization
untrusted data
arbitrary commands
os.system
latest version
CVSS3
5.2
Attack Vector
PHYSICAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.0/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L
EPSS
0
Percentile
9.6%
A vulnerability in the FAISS.deserialize_from_bytes function of langchain-ai/langchain allows for pickle deserialization of untrusted data. This can lead to the execution of arbitrary commands via the os.system function. The issue affects the latest version of the product.
Related
github
github
LangChain pickle deserialization of untrusted data
2024-09-17 12:30:32
cvelist
cvelist
CVE-2024-5998 Deserialization of Untrusted Data in langchain-ai/langchain
2024-09-17 11:50:13
cve
cve
CVE-2024-5998
2024-09-17 12:15:02
osv
osv
LangChain pickle deserialization of untrusted data
2024-09-17 12:30:32
CVE-2024-5998
2024-09-17 12:15:02
vulnrichment
vulnrichment
CVE-2024-5998 Deserialization of Untrusted Data in langchain-ai/langchain
2024-09-17 11:50:13
CVSS3
5.2
Attack Vector
PHYSICAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.0/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L
EPSS
0
Percentile
9.6%
Related for NVD:CVE-2024-5998