CVE-2024-3571

Опубликовано: 16 апр. 2024

Источник: nvd

CVSS3: 6.5

CVSS3: 8.8

EPSS Низкий

Описание

langchain-ai/langchain is vulnerable to path traversal due to improper limitation of a pathname to a restricted directory ('Path Traversal') in its LocalFileStore functionality. An attacker can leverage this vulnerability to read or write files anywhere on the filesystem, potentially leading to information disclosure or remote code execution. The issue lies in the handling of file paths in the mset and mget methods, where user-supplied input is not adequately sanitized, allowing directory traversal sequences to reach unintended directories.

Ссылки

https://github.com/langchain-ai/langchain/commit/aad3d8bd47d7f5598156ff2bdcc8f736f24a7412
Patch
https://huntr.com/bounties/2df3acdc-ee4f-4257-bbf8-a7de3870a9d8
Exploit
Third Party Advisory
https://github.com/langchain-ai/langchain/commit/aad3d8bd47d7f5598156ff2bdcc8f736f24a7412
Patch
https://huntr.com/bounties/2df3acdc-ee4f-4257-bbf8-a7de3870a9d8
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:langchain:langchain:0.0.351:*:*:*:*:*:*:*

EPSS

Процентиль: 82%

0.01741

Низкий

6.5 Medium

CVSS3

8.8 High

CVSS3

Дефекты

CWE-22

Связанные уязвимости

GHSA-rgp8-pm28-3759

CVSS3: 6.5

github

почти 2 года назад

langchain vulnerable to path traversal

EPSS

Процентиль: 82%

0.01741

Низкий

6.5 Medium

CVSS3

8.8 High

CVSS3

Дефекты

CWE-22