Name of the Vulnerable Software and Affected Versions:

llama-index-packs-finchat versions up to v0.3.0

run-llama/llama index versions up to v0.12.3

Description:

A vulnerability exists in the FinanceChatLlamaPack component, allowing for SQL injection in the `run sql query` function within the `database agent`. An attacker can exploit this issue to inject arbitrary SQL queries, potentially leading to remote code execution (RCE) by leveraging PostgreSQL's large object functionality.

Recommendations:

llama-index-packs-finchat versions up to v0.3.0: The package is no longer officially supported and has been moved to the `stale packages` branch, effectively removing it from documentation.

run-llama/llama index versions up to v0.12.3: Update to version 0.3.0 or later to resolve the issue.