Critical Vulnerabilities in aws inspector

aws-solutions / qnabot-on-aws

AWS QnABot is a multi-channel, multi-language conversational interface (chatbot) that responds to your customer's questions, answers, and feedback. The solution allows you to deploy a fully functional chatbot across multiple channels including chat, voice, SMS and Amazon Alexa.

https://aws.amazon.com/solutions/implementations/aws-qnabot

Apache License 2.0

401 stars 253 forks source link

Critical Vulnerabilities in aws inspector #781

Closed anjugds closed 1 week ago

anjugds commented 3 weeks ago

Hi @abhirpat,

Last week in AWS inspector critical vulnerabilities has been identified in multiple lambdas. We ran the v6.0.1 version of cloudformation. Could you please help in this. CVE-2024-7042 - @langchain/community, langchain CVE-2024-7774 - langchain

fhoueto-amz commented 2 weeks ago

Hi @anjugds , thanks for reporting this with detailed information. We will look into this and revert back.

preethy-1 commented 2 weeks ago

Hi @abhirpat

We ran the v6.1.3 version of cloudformation and this is a critical vulnerability in our account. Could you please help us with this?

anjugds commented 1 week ago

hi @fhoueto-amz , We are currently awaiting a resolution, as this issue is impacting a client project and is preventing further production deployments. Your prompt assistance is needed, as this involves a critical vulnerability with prompt injection and SQL injection.

michaelin-96 commented 1 week ago

Hi @anjugds, we are planning to address this in the next CVE patch release (6.1.5) sometime this week. Thanks again for bringing this up!

mfarnga commented 1 week ago

Were you able to deploy the CVE Patch yesterday?

michaelin-96 commented 1 week ago

@mfarnga v6.1.5 CVE Patch is out, see.

Closing this ticket.