CVE-2024-3271

CVSS V2 None CVSS V3 None

Description

A command injection vulnerability exists in the run-llama/llama_index repository, specifically within the safe_eval function. Attackers can bypass the intended security mechanism, which checks for the presence of underscores in code generated by LLM, to execute arbitrary code. This is achieved by crafting input that does not contain an underscore but still results in the execution of OS commands. The vulnerability allows for remote code execution (RCE) on the server hosting the application.

Overview

CVE ID
CVE-2024-3271

Assigner
@huntr_ai

Vulnerability Status
PUBLISHED

Published Version
2024-04-16T00:00:15.108Z

Last Modified Date
2024-06-04T17:31:15.412Z

Weakness Enumerations

CWE	URL
CWE-77	http://cwe.mitre.org/data/definitions/77.html

References

Reference URL	Reference Tags
https://huntr.com/bounties/9b32490e-7cf9-470e-8d49-ba083ae7a279
https://github.com/run-llama/llama_index/commit/5fbcb5a8b9f20f81b791c7fc8849e352613ab475

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-3271
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3271

History

Created	Old Value	New Value	Data Type	Notes
2024-06-23 23:21:08				Added to TrackCVE