Lucene search

GitHub Advisory DatabaseGHSA-WMVM-9VQV-5QPP

HistoryJun 16, 2024 - 3:30 p.m.

langchain_experimental Code Execution via Python REPL access

2024-06-1615:30:44

CWE-276

GitHub Advisory Database

github.com

langchain experimental

python

repl

access

security

incomplete fix

cve-2024-27444

software

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

6.8

Confidence

Low

EPSS

Percentile

9.0%

JSON

langchain_experimental (aka LangChain Experimental) before 0.0.61 for LangChain provides Python REPL access without an opt-in step. NOTE; this issue exists because of an incomplete fix for CVE-2024-27444.

Affected configurations

Vulners

Node

langchainlangchain-experimentalRange<0.0.61

VendorProductVersionCPE
langchainlangchain-experimental*cpe:2.3:a:langchain:langchain-experimental:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
langchain	langchain-experimental	*	cpe:2.3:a:langchain:langchain-experimental::::::::

References

github.com/advisories/GHSA-wmvm-9vqv-5qpp

github.com/langchain-ai/langchain/commit/ce0b0f22a175139df8f41cdcfb4d2af411112009

github.com/langchain-ai/langchain/compare/langchain-experimental==0.0.60...langchain-experimental==0.0.61

github.com/langchain-ai/langchain/pull/22860

github.com/pypa/advisory-database/tree/main/vulns/langchain-experimental/PYSEC-2024-53.yaml

nvd.nist.gov/vuln/detail/CVE-2024-38459

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

6.8

Confidence

Low

EPSS

Percentile

9.0%

JSON

Related for GHSA-WMVM-9VQV-5QPP