Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2024-12911

Опубликовано: 20 мар. 2025
Источник: redhat
CVSS3: 7.1

Описание

A vulnerability in the default_jsonalyzer function of the JSONalyzeQueryEngine in the run-llama/llama_index repository allows for SQL injection via prompt injection. This can lead to arbitrary file creation and Denial-of-Service (DoS) attacks. The vulnerability affects the latest version and is fixed in version 0.5.1.

A flaw was found in the run-llama/llama_index repository. This vulnerability allows arbitrary file creation and denial of service (DoS) attacks via SQL injection through prompt injection.

Отчет

This vulnerability marked as moderate rather than important because while it enables SQL injection via prompt injection, the exploitability and impact are constrained. First, successful exploitation requires the attacker to manipulate a user-controlled prompt in a specific way, limiting the attack surface. Second, while arbitrary file creation is possible, it does not necessarily lead to direct remote code execution (RCE) without additional chaining vulnerabilities. Additionally, the Denial-of-Service (DoS) potential is limited to resource exhaustion rather than system-wide failure.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
OpenShift Lightspeedopenshift-lightspeed-tech-preview/lightspeed-service-api-rhel9Affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-379
https://bugzilla.redhat.com/show_bug.cgi?id=2353719llama-index: SQL Injection in run-llama/llama_index

7.1 High

CVSS3

Связанные уязвимости

nvd логотип

CVE-2024-12911

CVSS3: 7.1
nvd
11 месяцев назад

A vulnerability in the `default_jsonalyzer` function of the `JSONalyzeQueryEngine` in the run-llama/llama_index repository allows for SQL injection via prompt injection. This can lead to arbitrary file creation and Denial-of-Service (DoS) attacks. The vulnerability affects the latest version and is fixed in version 0.5.1.

github логотип

GHSA-jmgm-gx32-vp4w

CVSS3: 7.1
github
11 месяцев назад

LlamaIndex vulnerable to Creation of Temporary File in Directory with Insecure Permissions

7.1 High

CVSS3

Уязвимость CVE-2024-12911