PT-2024-31815 · Guardrails Ai · Guardrails Ai Guardrails Framework
Leo Ring
·
Published
2024-09-18
·
Updated
2024-09-20
·
CVE-2024-45858
CVSS v4.0
8.6
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Guardrails AI Guardrails framework versions 0.2.9 through 0.5.10
Description
An arbitrary code execution issue exists due to the way the Guardrails AI Guardrails framework validates XML files. If a maliciously crafted XML file containing Python code is loaded, the code will be executed on the user's machine because it is passed to an eval function.
Recommendations
For Guardrails AI Guardrails framework versions 0.2.9 through 0.5.10, consider disabling the XML validation feature until a patch is available to prevent potential code execution. Restrict access to loading XML files from untrusted sources to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Eval Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Guardrails Ai Guardrails Framework