CVE-2024-8309

CVSS V2 None CVSS V3 None

Description

A vulnerability in the GraphCypherQAChain class of langchain-ai/langchain version 0.2.5 allows for SQL injection through prompt injection. This vulnerability can lead to unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database.

Overview

CVE ID
CVE-2024-8309

Assigner
@huntr_ai

Vulnerability Status
PUBLISHED

Published Version
2024-10-29T12:50:13.198Z

Last Modified Date
2024-10-29T18:14:46.661Z

Weakness Enumerations

CWE	URL
CWE-89	http://cwe.mitre.org/data/definitions/89.html

References

Reference URL	Reference Tags
https://huntr.com/bounties/8f4ad910-7fdc-4089-8f0a-b5df5f32e7c5
https://github.com/langchain-ai/langchain/commit/c2a3021bb0c5f54649d380b42a0684ca5778c255

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-8309
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8309

History

Created	Old Value	New Value	Data Type	Notes
2024-10-30 13:11:49				Added to TrackCVE