Platform
python
Component
langchain-experimental
Opgelost in
0.0.21
0.0.21
CVE-2024-21513 is a critical vulnerability affecting versions of the langchain-experimental Python package up to 0.0.9. This flaw allows an attacker to execute arbitrary Python code by manipulating input prompts and exploiting the VectorSQLDatabaseChain configuration. The vulnerability stems from the code's attempt to use the eval function on values retrieved from the database, creating a significant security risk.
The primary impact of CVE-2024-21513 is the potential for arbitrary code execution on the server running the langchain-experimental package. An attacker who can control the input prompt used with VectorSQLDatabaseChain can inject malicious Python code that will be executed with the privileges of the application. This could lead to complete system compromise, including data exfiltration, modification, or deletion. The vulnerability's impact extends to the confidentiality, integrity, and availability of the affected component and potentially the entire system, depending on the application's permissions and access controls. This is a particularly dangerous vulnerability because it allows for remote code execution without requiring authentication, making it easily exploitable.
CVE-2024-21513 was publicly disclosed on 2024-07-15. While no active exploitation campaigns have been publicly reported as of this writing, the ease of exploitation and the potential for significant impact make it a high-priority vulnerability. No public proof-of-concept exploits have been released, but the vulnerability's nature suggests that such exploits are likely to emerge. The vulnerability is not currently listed on the CISA KEV catalog.
Applications utilizing langchain-experimental, particularly those employing VectorSQLDatabaseChain with user-controlled input, are at significant risk. This includes AI-powered applications, chatbots, and any system where user input is directly incorporated into database queries without proper sanitization. Shared hosting environments where multiple applications share the same server are also at increased risk, as a compromise of one application could potentially lead to the compromise of others.
• python / langchain-experimental:
import langchain_experimental
import os
# Check langchain-experimental version
print(langchain_experimental.__version__)
# Check for vulnerable configuration (VectorSQLDatabaseChain enabled)
# This requires inspecting the application's code and configuration files.
# Look for instances where VectorSQLDatabaseChain is instantiated and used.• generic web: Check for unusual Python code execution patterns in server logs, particularly around database interactions. Monitor for unexpected processes running with the application's user account.
disclosure
Exploit Status
EPSS
10.17% (93% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2024-21513 is to immediately upgrade the langchain-experimental package to version 0.0.21 or later. This version contains a fix that prevents the use of eval on database values. If upgrading is not immediately feasible, consider disabling the VectorSQLDatabaseChain functionality or implementing strict input validation to sanitize user-provided data before it is used in database queries. Review and audit all code that interacts with the database to ensure proper input validation and sanitization practices are in place. After upgrading, confirm the fix by attempting to inject a simple Python command into the input prompt and verifying that it is not executed.
Actualice la biblioteca langchain-experimental a la versión 0.0.21 o superior. Esto corrige la vulnerabilidad de ejecución de código arbitrario al evitar el uso de 'eval' en los valores recuperados de la base de datos. Ejecute `pip install --upgrade langchain-experimental` para actualizar.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-21513 is a HIGH severity vulnerability in langchain-experimental versions up to 0.0.9 that allows attackers to execute arbitrary Python code through database value manipulation, impacting confidentiality, integrity, and availability.
You are affected if you are using langchain-experimental versions 0.0.15 or earlier. Check your installed version and upgrade immediately if vulnerable.
Upgrade to langchain-experimental version 0.0.21 or later. If immediate upgrade is not possible, disable VectorSQLDatabaseChain or implement strict input validation.
No active exploitation campaigns have been publicly reported, but the vulnerability's ease of exploitation makes it a high-priority concern.
Refer to the Langchain security advisories and release notes for details: [https://github.com/langchain-ai/langchain-experimental/security/advisories](https://github.com/langchain-ai/langchain-experimental/security/advisories)
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je requirements.txt-bestand en we vertellen je direct of je getroffen bent.