Lucene search

K
veracodeVeracode Vulnerability DatabaseVERACODE:46457
HistoryApr 16, 2024 - 12:12 p.m.

Code Injection

2024-04-1612:12:02
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
11
code injection
vulnerability
input validation
exec_utils class
unauthorized code execution
llama-index-core

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.2 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

llama-index-core is vulnerable to Code Injection. The vulnerability is due to insufficient input validation within the safe_eval function in the exec_utils class, which allows an attacker to bypass method restrictions resulting in unauthorized code execution.

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.2 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

Related for VERACODE:46457