CVE-2023-38896 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2023-38896

CVE-2023-38896

August 15, 2023

An issue in Harrison Chase langchain v.0.0.194 and before allows a remote attacker to execute arbitrary code via the from_math_prompt and from_colored_object_prompt functions.

Related Resources (8)

https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-146.yaml

https://twitter.com/llm_sec/status/1668711587287375876

https://github.com/langchain-ai/langchain/commit/8ba9835b925473655914f63822775679e03ea137

https://nvd.nist.gov/vuln/detail/CVE-2023-38896

https://github.com/hwchase17/langchain/pull/6003

https://github.com/hwchase17/langchain/issues/5872

https://github.com/langchain-ai/langchain

https://github.com/langchain-ai/langchain/commit/e294ba475a355feb95003ed8f1a2b99942509a9e

Do you need more information?

CVSS v4

Base Score:

9.3

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

NONE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

HIGH

Vulnerable System Availability

HIGH

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Weakness Type (CWE)

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-74

Improper Control of Generation of Code ('Code Injection')

CWE-94

EPSS

Base Score:

0.79

Products

Solutions

Resources

Company

Compare

Developer Tools