CVE-2024-3271 – A command injection vulnerability exists in the run-llama/llama_index repository, …

16 April 2024

Vuln ID: CVE-2024-3271

Published: 2024-04-16 00:15:12.017

Description: A command injection vulnerability exists in the run-llama/llama_index repository, specifically within the safe_eval function. Attackers can bypass the intended security mechanism, which checks for the presence of underscores in code generated by LLM, to execute arbitrary code. This is achieved by crafting input that does not contain an underscore but still results in the execution of OS commands. The vulnerability allows for remote code execution (RCE) on the server hosting the application.

Base Score: –

Vector:

Source: NVD.NIST.GOV

Date:

16 April 2024

Categorie(s):

NVD

Tag(s):

NVD

AT&T, Verizon, Sprint, T-Mobile US fined $200M for selling off people’s location info29 April 2024
Board’s Pivotal Role in Cybersecurity as CISO-CEO Communication Gaps Continue – BSW #34829 April 2024
Meet Silver SAML: Golden SAML in the Cloud – Eric Woodruff – BSW #34829 April 2024
F5 shares fall over 9% on disappointing third quarter guidance29 April 2024
Google blocked 2.3M apps from Play Store last year for breaking the G law29 April 2024