Lucene search

GitHub Advisory DatabaseGHSA-GJJR-63X4-V8CQ

HistoryOct 09, 2023 - 9:30 p.m.

langchain_experimental vulnerable to arbitrary code execution via PALChain in the python exec method

2023-10-0921:30:27

GitHub Advisory Database

github.com

vulnerable

arbitrary code execution

bypass

palchain

python

cve-2023-36258 fix

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.003

Percentile

71.7%

JSON

langchain_experimental 0.0.14 allows an attacker to bypass the CVE-2023-36258 fix and execute arbitrary code via the PALChain in the python exec method.

Affected configurations

Vulners

Node

langchainlangchain-experimentalRange≤0.0.14

VendorProductVersionCPE
langchainlangchain-experimental*cpe:2.3:a:langchain:langchain-experimental:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
langchain	langchain-experimental	*	cpe:2.3:a:langchain:langchain-experimental::::::::

References

github.com/advisories/GHSA-gjjr-63x4-v8cq

github.com/langchain-ai/langchain/commit/4c97a10bd0d9385cfee234a63b5bd826a295e483

github.com/langchain-ai/langchain/pull/11233

github.com/pypa/advisory-database/tree/main/vulns/langchain-experimental/PYSEC-2023-194.yaml

nvd.nist.gov/vuln/detail/CVE-2023-44467

pypi.org/project/langchain-experimental/0.0.14

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.003

Percentile

71.7%

JSON

Related for GHSA-GJJR-63X4-V8CQ