CVE-2024-27444 (Critical) detected in langchain-0.0.352-py3-none-any.whl - autoclosed

[mend-bolt-for-github[bot]]

CVE-2024-27444 - Critical Severity Vulnerability

Vulnerable Library - langchain-0.0.352-py3-none-any.whl

Building applications with LLMs through composability

Library home page: https://files.pythonhosted.org/packages/0f/36/58f4d9df45436670a5b6b82ff48522b6233fa35bd21b133b149c1c7ec8bd/langchain-0.0.352-py3-none-any.whl

Path to dependency file: /src/project/ai-rag-llm/ollama-repo-changes/requirements.txt

Path to vulnerable library: /src/project/ai-rag-llm/ollama-repo-changes/requirements.txt

Dependency Hierarchy: - :x: **langchain-0.0.352-py3-none-any.whl** (Vulnerable Library)

Found in HEAD commit: f70a0e81a769b0c35b61d7e4db8b4b08bda6811d

Found in base branch: main

Vulnerability Details

langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-44467 fix and execute arbitrary code via the __import__, __subclasses__, __builtins__, __globals__, __getattribute__, __bases__, __mro__, or __base__ attribute in Python code. These are not prohibited by pal_chain/base.py.

Publish Date: 2024-02-26

URL: CVE-2024-27444

CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-27444

Release Date: 2024-02-26

Fix Resolution: 0.1.8

---

Step up your Open Source Security Game with Mend here

[mend-bolt-for-github[bot]]

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.