Lucene search

Veracode Vulnerability DatabaseVERACODE:42832

HistoryAug 17, 2023 - 5:45 a.m.

Arbitrary Code Execution

2023-08-1705:45:49

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

langchain

arbitrary code execution

vulnerability

flaw

from_math_prompt

from_colored_object_prompt

software

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.007

Percentile

80.5%

JSON

langchain is vulnerable to Arbitrary Code Execution. This vulnerability is caused by a flaw in the from_math_prompt and from_colored_object_prompt functions, which could allow an attacker to execute arbitrary code on the victim’s system by sending a specially crafted prompt.

References

github.com/advisories/GHSA-92j5-3459-qgp4

github.com/hwchase17/langchain/issues/5872

github.com/hwchase17/langchain/pull/6003

github.com/langchain-ai/langchain/commit/8ba9835b925473655914f63822775679e03ea137

github.com/langchain-ai/langchain/commit/e294ba475a355feb95003ed8f1a2b99942509a9e

github.com/langchain-ai/langchain/issues/5872

github.com/langchain-ai/langchain/pull/6003

twitter.com/llm_sec/status/1668711587287375876

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.007

Percentile

80.5%

JSON

Related for VERACODE:42832