Lucene search

GoogleOSV:CVE-2024-1455

HistoryMar 26, 2024 - 2:15 p.m.

CVE-2024-1455

2024-03-2614:15:08

Google

osv.dev

cve-2024-1455

billion laughs attack

xml external entity (xxe)

denial of service

langchain-ai

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

6.8 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

A vulnerability in the langchain-ai/langchain repository allows for a Billion Laughs Attack, a type of XML External Entity (XXE) exploitation. By nesting multiple layers of entities within an XML document, an attacker can cause the XML parser to consume excessive CPU and memory resources, leading to a denial of service (DoS).

CPENameOperatorVersion
langchaineq0.0.105
langchaineq0.0.137
langchaineq0.0.159
langchaineq0.0.169
langchaineq0.0.300
langchaineq0.1.5
langchaineq0.0.164
langchaineq0.0.147
langchaineq0.0.346
langchaineq0.0.354

Name	Operator	Version
langchain	eq	0.0.105
langchain	eq	0.0.137
langchain	eq	0.0.159
langchain	eq	0.0.169
langchain	eq	0.0.300
langchain	eq	0.1.5
langchain	eq	0.0.164
langchain	eq	0.0.147
langchain	eq	0.0.346
langchain	eq	0.0.354

Rows per page:

1-10 of 3221

References

github.com/langchain-ai/langchain/commit/727d5023ce88e18e3074ef620a98137d26ff92a3

huntr.com/bounties/4353571f-c70d-4bfd-ac08-3a89cecb45b6

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

6.8 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for OSV:CVE-2024-1455