CVE-2024-12911
7.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Summary
A vulnerability in the default_jsonalyzer function of the JSONalyzeQueryEngine in the run-llama/llama_index repository allows for SQL injection via prompt injection. This can lead to arbitrary file creation and Denial-of-Service (DoS) attacks. The vulnerability affects the latest version and is fixed in version 0.5.1.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| run-llama | run-llama/llama_index | unspecified < 0.5.1 | affected |
Weaknesses
- CWE-89: CWE-89 Improper Neutralization of Special Elements used in an SQL Command
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
References
- https://huntr.com/bounties/095f9e67-311d-494c-99c5-5e61a0adb8f3
- https://github.com/run-llama/llama_index/commit/bf282074e20e7dafd5e2066137dcd4cd17c3fb9e
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.