Products
Guardrails AI Guardrails framework
- 0.2.9 up to 0.5.10
Source
6f8de1f0-f67e-45a6-b68f-98777fdb759c
Tags
CVE-2024-45858 details
Published : Sept. 18, 2024, 3:15 p.m.
Last Modified : Sept. 18, 2024, 3:15 p.m.
Last Modified : Sept. 18, 2024, 3:15 p.m.
Description
An arbitrary code execution vulnerability exists in versions 0.2.9 up to 0.5.10 of the Guardrails AI Guardrails framework because of the way it validates XML files. If a victim user loads a maliciously crafted XML file containing Python code, the code will be passed to an eval function, causing it to execute on the user's machine.
CVSS Score
1 | 2 | 3 | 4 | 5 | 6 | 7.8 | 8 | 9 | 10 |
---|
Weakness
Weakness | Name | Description |
---|---|---|
CWE-95 | Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval"). |
CVSS Data
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
Base Score
7.8
Exploitability Score
1.8
Impact Score
5.9
Base Severity
HIGH
Vector String : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References
URL | Source |
---|---|
https://hiddenlayer.com/sai-security-advisory/2024-09-guardrails/ | 6f8de1f0-f67e-45a6-b68f-98777fdb759c |
This website uses the NVD API, but is not approved or certified by it.