PT-2024-31480 · Unknown · Llama Index
Published
2024-08-22
·
Updated
2024-11-25
·
CVE-2024-45201
CVSS v4.0
9.3
Critical
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
llama index versions prior to 0.10.38
Description
An issue was discovered in the download/integration.py file, which includes an exec call for import of a class name specified by the
cls name variable. This could potentially lead to execution of arbitrary code.Recommendations
For versions prior to 0.10.38, update to version 0.10.38 or later to resolve the issue. As a temporary workaround, consider restricting access to the
download/integration.py file to minimize the risk of exploitation. Avoid using the cls name variable in the affected import statement until the issue is resolved.Fix
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Llama Index