CVE-2024-23751

CRITICAL9.8EPSS 0.21%

SQL injection in llama-index

發布日:2024/1/22修改日:2024/2/16

描述

LlamaIndex (aka llama_index) through 0.9.35 allows SQL injection via the Text-to-SQL feature in NLSQLTableQueryEngine, SQLTableRetrieverQueryEngine, NLSQLRetriever, RetrieverQueryEngine, and PGVectorSQLQueryEngine. For example, an attacker might be able to delete this year's student records via "Drop the Students table" within English language input.

受影響套件(2)

PyPI/llama-indexfrom 0, <= 0.9.35
PyPI/llama-indexfrom 0, < 0.9.35

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-23751
PATCHhttps://github.com/run-llama/llama_index
WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/llama-index/PYSEC-2024-12.yaml
WEBhttps://github.com/run-llama/llama_index/issues/9957