Lucene search

Veracode Vulnerability DatabaseVERACODE:47241

HistoryMay 29, 2024 - 7:34 a.m.

Command Injection

2024-05-2907:34:43

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

command injection

eval function

arbitrary commands

client's machine

software

llm hosting provider

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

7.7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

llama_index is vulnerable to a Command Injection. The vulnerability is due to unsafe usage of the eval function, allowing a malicious or compromised LLM hosting provider to execute arbitrary commands on the client’s machine.

CPENameOperatorVersion
llama-indexle0.10.12
llama-indexle0.10.12

CPE	Name	Operator	Version
	llama-index	le	0.10.12
	llama-index	le	0.10.12

References

github.com/run-llama/llama_index/commit/d73715eaf0642705583e7897c78b9c8dd2d3a7ba

huntr.com/bounties/1a204520-598a-434e-b13d-0d34f2a5ddc1

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

7.7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for VERACODE:47241