GoogleOSV:GHSA-GWQQ-6VQ7-5J86langchain Code Injection vulnerability
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
39.7%
An issue in Harrison Chase langchain allows an attacker to execute arbitrary code via the PALChain,from_math_prompt(llm).run in the python exec method.
References
langchain.com
github.com/hwchase17/langchain
github.com/langchain-ai/langchain
github.com/langchain-ai/langchain/commit/8ba9835b925473655914f63822775679e03ea137
github.com/langchain-ai/langchain/commit/e294ba475a355feb95003ed8f1a2b99942509a9e
github.com/langchain-ai/langchain/commits/v0.0.236?after=4d8b48bdb3f17c764c5c2e3c7140071603869e74+34&branch=v0.0.236&qualified_name=refs%2Ftags%2Fv0.0.236
github.com/langchain-ai/langchain/issues/5872
github.com/langchain-ai/langchain/pull/6003
github.com/langchain-ai/langchain/pull/7870
github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-138.yaml
nvd.nist.gov/vuln/detail/CVE-2023-36095
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
39.7%