langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-44467 fix and execute arbitrary code via the __import__, __subclasses__, __builtins__, __globals__, __getattribute__, __bases__, __mro__, or __base__ attribute in Python code. These are not prohibited by pal_chain/base.py.
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
CVE-2024-27444 - Critical Severity Vulnerability
Vulnerable Library - langchain-0.0.352-py3-none-any.whl
Building applications with LLMs through composability
Library home page: https://files.pythonhosted.org/packages/0f/36/58f4d9df45436670a5b6b82ff48522b6233fa35bd21b133b149c1c7ec8bd/langchain-0.0.352-py3-none-any.whl
Path to dependency file: /src/project/ai-rag-llm/ollama-repo-changes/requirements.txt
Path to vulnerable library: /src/project/ai-rag-llm/ollama-repo-changes/requirements.txt
Dependency Hierarchy: - :x: **langchain-0.0.352-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: f70a0e81a769b0c35b61d7e4db8b4b08bda6811d
Found in base branch: main
Vulnerability Details
langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-44467 fix and execute arbitrary code via the __import__, __subclasses__, __builtins__, __globals__, __getattribute__, __bases__, __mro__, or __base__ attribute in Python code. These are not prohibited by pal_chain/base.py.
Publish Date: 2024-02-26
URL: CVE-2024-27444
CVSS 3 Score Details (9.8)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-27444
Release Date: 2024-02-26
Fix Resolution: 0.1.8
Step up your Open Source Security Game with Mend here