4Ur0N

**Name of the Vulnerable Software and Affected Versions** CocoIndex versions prior to 0.3.34 **Description** CocoIndex, a data transformation framework for AI, contains a flaw in the Doris target connector. Prior to version 0.3.34, the connector did not validate the configured table name before constructing SQL statements, specifically `ALTER TABLE` statements. This lack of validation allows for SQL injection when the target schema changes if the table name is supplied by an untrusted source. The vulnerable component is the Doris target connector. The `table name` is a vulnerable parameter. **Recommendations** Versions prior to 0.3.34 should be updated to version 0.3.34 or later. Ensure table names used to configure CocoIndex targets are valid and come from a trusted source. If the table name originates from an untrusted source, validate it before using it to configure the Doris target for CocoIndex.