LlamaIndex Retrievers Integration: DuckDBRetriever SQL Injection
traduction en cours…Plateforme
python
Composant
llama-index-retrievers-duckdb-retriever
Corrigé dans
0.4.0
0.4.0
A critical SQL injection vulnerability has been identified in the llama-index-retrievers-duckdb-retriever component, specifically affecting versions up to 0.3.0. This flaw allows attackers to inject malicious SQL code into queries, potentially leading to remote code execution. The vulnerability stems from the improper construction of SQL queries without utilizing prepared statements. Affected users should immediately upgrade to version 0.4.0 to mitigate this risk.
Détecte cette CVE dans ton projet
Téléverse ton fichier requirements.txt et nous te dirons instantanément si tu es affecté.
Impact et Scénarios d'Attaquetraduction en cours…
The impact of this SQL injection vulnerability is severe. An attacker can leverage it to execute arbitrary SQL commands against the DuckDB database. The description explicitly mentions the possibility of achieving remote code execution (RCE) by installing the shellfs extension and then executing malicious commands. This could allow an attacker to gain complete control over the affected system, exfiltrate sensitive data, modify database contents, or even pivot to other systems within the network. The potential for data breaches and system compromise is significant.
Contexte d'Exploitationtraduction en cours…
This vulnerability is considered highly exploitable due to the ease of SQL injection and the potential for RCE. While no public exploits have been widely reported, the combination of a CRITICAL CVSS score and the potential for RCE suggests a high probability of exploitation. The vulnerability was publicly disclosed on 2025-03-20. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting this vulnerability.
Qui Est à Risquetraduction en cours…
Applications leveraging the llama-index-retrievers-duckdb-retriever component for data retrieval from DuckDB databases are at risk. This includes projects utilizing the run-llama/llama_index repository and those integrating DuckDB as a data source. Specifically, deployments using older versions (≤0.3.0) and those lacking robust input validation are particularly vulnerable.
Étapes de Détectiontraduction en cours…
• python / supply-chain:
import subprocess
result = subprocess.run(['pip', 'show', 'llama-index-retrievers-duckdb-retriever'], capture_output=True, text=True)
if 'Version: 0.3.0' in result.stdout:
print('Vulnerable version detected!')• generic web: Check for DuckDB database endpoints exposed in the application. Use curl to test for SQL injection vulnerabilities.
curl 'http://example.com/duckdb_endpoint?query=1%20OR%201=1' # Replace with actual endpointChronologie de l'Attaque
- Disclosure
disclosure
Renseignement sur les Menaces
Statut de l'Exploit
EPSS
1.17% (percentile 79%)
CISA SSVC
Vecteur CVSS
Que signifient ces métriques?
- Attack Vector
- Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
- Attack Complexity
- Faible — aucune condition spéciale requise. Exploitable de manière fiable.
- Privileges Required
- Aucun — sans authentification. Aucune identifiant requis pour exploiter.
- User Interaction
- Aucune — attaque automatique et silencieuse. La victime ne fait rien.
- Scope
- Inchangé — impact limité au composant vulnérable.
- Confidentiality
- Élevé — perte totale de confidentialité. L'attaquant peut lire toutes les données.
- Integrity
- Élevé — l'attaquant peut écrire, modifier ou supprimer toutes les données.
- Availability
- Élevé — panne complète ou épuisement des ressources. Déni de service total.
Logiciel Affecté
Classification de Faiblesse (CWE)
Chronologie
- Réservé
- Publiée
- Modifiée
- EPSS mis à jour
Mitigation et Contournementstraduction en cours…
The primary mitigation for CVE-2024-11958 is to upgrade the llama-index-retrievers-duckdb-retriever component to version 0.4.0 or later. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider implementing stricter input validation on any user-supplied data used in SQL queries. While not a complete solution, this can reduce the attack surface. Additionally, review and restrict the permissions granted to the DuckDB user account to limit the potential damage from a successful SQL injection attack. After upgrading, confirm the fix by attempting to inject a simple SQL statement and verifying that it is properly sanitized.
Comment corrigertraduction en cours…
Actualice la biblioteca LlamaIndex a la versión 0.4.0 o superior. Esta versión contiene una corrección para la vulnerabilidad de inyección SQL en el componente `duckdb_retriever`. La actualización evitará la ejecución de código arbitrario a través de la inyección de comandos SQL maliciosos.
Newsletter Sécurité CVE
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
Questions fréquentestraduction en cours…
What is CVE-2024-11958 — SQL Injection in llama-index-retrievers-duckdb-retriever?
CVE-2024-11958 is a critical SQL injection vulnerability in the llama-index-retrievers-duckdb-retriever component, allowing attackers to inject malicious SQL code.
Am I affected by CVE-2024-11958 in llama-index-retrievers-duckdb-retriever?
You are affected if you are using llama-index-retrievers-duckdb-retriever versions 0.3.0 or earlier.
How do I fix CVE-2024-11958 in llama-index-retrievers-duckdb-retriever?
Upgrade to version 0.4.0 or later. Implement input validation as a temporary workaround if upgrading is not immediately possible.
Is CVE-2024-11958 being actively exploited?
While no widespread exploitation has been confirmed, the vulnerability's severity and potential for RCE suggest a high probability of exploitation.
Where can I find the official llama-index advisory for CVE-2024-11958?
Refer to the official llama-index repository and security advisories for the latest information and updates.
Ton projet est-il affecté ?
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.