llama-index vulnerable to arbitrary code execution

GHSA-2xxc-73fv-36f7 · CVE-2023-39662 · PYSEC-2023-148

Published Aug 15, 2023 · Modified Sep 30, 2024

Description

An issue in llama_index v.0.7.13 and before allows a remote attacker to execute arbitrary code via the exec parameter in PandasQueryEngine function.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2023-39662
WEB https://github.com/jerryjliu/llama_index/issues/7054
WEB https://github.com/run-llama/llama_index/commit/9f3e50a803f519af9ab62e63d413441c43001d81
WEB https://github.com/run-llama/llama_index/commit/aa6726706476e0f957a8d57a5ca89e519e93bad7
PACKAGE https://github.com/jerryjliu/llama_index
WEB https://github.com/pypa/advisory-database/tree/main/vulns/llama-index/PYSEC-2023-148.yaml

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes