CVE-2024-3098 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2024-3098

CVE-2024-3098

April 10, 2024

A vulnerability was identified in the "exec_utils" class of the "llama_index" package, specifically within the "safe_eval" function, allowing for prompt injection leading to arbitrary code execution. This issue arises due to insufficient validation of input, which can be exploited to bypass method restrictions and execute unauthorized code. The vulnerability is a bypass of the previously addressed CVE-2023-39662, demonstrated through a proof of concept that creates a file on the system by exploiting the flaw.

Affected Packages

llama-index-core (PYTHON):

Affected version(s) >=0.9.41 <0.10.24

Fix Suggestion:

Update to version 0.10.24

Related Resources (5)

https://huntr.com/bounties/1bce0d61-ad03-4b22-bc32-8f99f92974e7

https://nvd.nist.gov/vuln/detail/CVE-2024-3098

https://github.com/run-llama/llama_index

https://github.com/run-llama/llama_index/commit/5fbcb5a8b9f20f81b791c7fc8849e352613ab475

https://github.com/run-llama/llama_index/commit/2c92e88838a5f481d50840240b1dd3180066c6f5

Do you need more information?

CVSS v4

Base Score:

9.3

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

NONE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

HIGH

Vulnerable System Availability

HIGH

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Weakness Type (CWE)

Improper Control of Generation of Code ('Code Injection')

CWE-94

EPSS

Base Score:

0.19

Products

Solutions

Resources

Company

Compare

Developer Tools