CVE-2024-4181

May 16, 2024, 1:03 p.m.

8.8
High

Description

A command injection vulnerability exists in the RunGptLLM class of the llama_index library, version 0.9.47, used by the RunGpt framework from JinaAI to connect to Language Learning Models (LLMs). The vulnerability arises from the improper use of the eval function, allowing a malicious or compromised LLM hosting provider to execute arbitrary commands on the client's machine. This issue was fixed in version 0.10.13. The exploitation of this vulnerability could lead to a hosting provider gaining full control over client machines.

Product(s) Impacted

Product Versions
llama_index library
  • 0.9.47
RunGpt framework from JinaAI
  • 0.9.47
  • 0.10.13

Weaknesses

References

https://github.com/run-llama/llama_index/commit/d73715eaf0642705583e7897c78b9c8dd2d3a7ba
https://huntr.com/bounties/1a204520-598a-434e-b13d-0d34f2a5ddc1

Tags

CWE-94
security@huntr.dev
2024-05-16
CVE-2024-4181

CVSS Score

8.8 / 10

CVSS Data

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH
    • View Vector String

    CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Date

  • Published: May 16, 2024, 9:15 a.m.
  • Last Modified: May 16, 2024, 1:03 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security@huntr.dev

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.