Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
veracodeVeracode Vulnerability DatabaseVERACODE:46885
HistoryMay 14, 2024 - 6:24 a.m.

Server Side Request Forgery (SSRF)

2024-05-1406:24:35
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
7
ssrf
jinja2
code execution
vulnerability
sandbox-less environment
malicious payload

CVSS3

9.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

AI Score

9.5

Confidence

High

EPSS

0

Percentile

9.0%

JSON

llama-cpp-python is vulnerable to Server Side Request Forgery (SSRF). The vulnerability is due to loading the chat template in a sandbox-less jinja2.Environment, allowing an attacker to execute arbitrary code by crafting a malicious payload within a model, and convincing a user intro running it.

Related

vulnrichment 2
nvd 2
cve 2
github 1
osv 2
cvelist 2
thn 1
vulnrichment
vulnrichment
CVE-2024-34359 llama-cpp-python vulnerable to Remote Code Execution by Server-Side Template Injection in Model Metadata
2024-05-10 17:07:18
CVE-2024-4897 Remote Code Execution in parisneo/lollms-webui
2024-07-02 14:37:36
nvd
nvd
CVE-2024-34359
2024-05-14 15:38:45
CVE-2024-4897
2024-07-02 15:15:11
cve
cve
CVE-2024-34359
2024-05-14 15:38:45
CVE-2024-4897
2024-07-02 15:15:11
github
github
llama-cpp-python vulnerable to Remote Code Execution by Server-Side Template Injection in Model Metadata
2024-05-13 14:10:18
osv
osv
CVE-2024-34359
2024-05-14 15:38:45
llama-cpp-python vulnerable to Remote Code Execution by Server-Side Template Injection in Model Metadata
2024-05-13 14:10:18
cvelist
cvelist
CVE-2024-34359 llama-cpp-python vulnerable to Remote Code Execution by Server-Side Template Injection in Model Metadata
2024-05-10 17:07:18
CVE-2024-4897 Remote Code Execution in parisneo/lollms-webui
2024-07-02 14:37:36
thn
thn
Researchers Uncover Flaws in Python Package for AI Models and PDF.js Used by Firefox
2024-05-21 10:22:00

CVSS3

9.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

AI Score

9.5

Confidence

High

EPSS

0

Percentile

9.0%

JSON
Related for VERACODE:46885
vulnrichment2nvd2cve2github1osv2cvelist2thn1