Products
Haystack
- 2.3.1
Source
security-advisories@github.com
Tags
CVE-2024-41950 details
Published : July 31, 2024, 4:15 p.m.
Last Modified : July 31, 2024, 4:15 p.m.
Last Modified : July 31, 2024, 4:15 p.m.
Description
Haystack is an end-to-end LLM framework that allows you to build applications powered by LLMs, Transformer models, vector search and more. Haystack clients that let their users create and run Pipelines from scratch are vulnerable to remote code executions. Certain Components in Haystack use Jinja2 templates, if anyone can create and render that template on the client machine they run any code. The vulnerability has been fixed with Haystack `2.3.1`.
CVSS Score
1 | 2 | 3 | 4 | 5 | 6 | 7.5 | 8 | 9 | 10 |
---|
Weakness
Weakness | Name | Description |
---|---|---|
CWE-1336 | Improper Neutralization of Special Elements Used in a Template Engine | The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine. |
CVSS Data
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
Base Score
7.5
Exploitability Score
1.6
Impact Score
5.9
Base Severity
HIGH
Vector String : CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
References
URL | Source |
---|---|
https://github.com/deepset-ai/haystack/commit/3fed1366c448b02189851bf08166c1f6477a02b0 | security-advisories@github.com |
https://github.com/deepset-ai/haystack/commit/6c25a5c73e83aa32c3241ba84a5cbb3ac0e8a89e | security-advisories@github.com |
https://github.com/deepset-ai/haystack/pull/8095 | security-advisories@github.com |
https://github.com/deepset-ai/haystack/pull/8096 | security-advisories@github.com |
https://github.com/deepset-ai/haystack/releases/tag/v2.3.1 | security-advisories@github.com |
https://github.com/deepset-ai/haystack/security/advisories/GHSA-hx9v-6r9f-w677 | security-advisories@github.com |
This website uses the NVD API, but is not approved or certified by it.