Home > Vulnerability Database > CVE-2024-4343

Mend.io Vulnerability Database

CVE-2024-4343

Date: November 14, 2024

A Python command injection vulnerability exists in the "SagemakerLLM" class's "complete()" method within "./private_gpt/components/llm/custom/sagemaker.py" of the imartinez/privategpt application, versions up to and including 0.3.0. The vulnerability arises due to the use of the "eval()" function to parse a string received from a remote AWS SageMaker LLM endpoint into a dictionary. This method of parsing is unsafe as it can execute arbitrary Python code contained within the response. An attacker can exploit this vulnerability by manipulating the response from the AWS SageMaker LLM endpoint to include malicious Python code, leading to potential execution of arbitrary commands on the system hosting the application. The issue is fixed in version 0.6.0.

Language: Python

Severity Score

9.8

Related Resources (4)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-4343

Url: https://github.com/imartinez/privategpt/commit/86368c61760c9cee5d977131d23ad2a3e063cbe9

Url: https://huntr.com/bounties/1d1e8f06-ec45-4b17-ae24-b83a41304c15

Url: https://www.mend.io/vulnerability-database/CVE-2024-4343

Severity Score

9.8

Weakness Type (CWE)

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-78

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-4343

Date: November 14, 2024

Language: Python

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?