Описание
An issue was discovered in llama_index before 0.10.38. download/integration.py includes an exec call for import {cls_name}.
A vulnerability was found in the llama_index application where the download_integration() function calls Python's exec() function with an external parameter. If an attacker manages to control the related parameter, this vulnerability may lead to remote code execution.
Отчет
No Red Hat products are affected by this vulnerability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Lightspeed | openshift-lightspeed-beta/lightspeed-service-api-rhel9 | Not affected |
Показывать по
10
Дополнительная информация
Статус:
Important
Дефект:
CWE-94
https://bugzilla.redhat.com/show_bug.cgi?id=2307415llama_index: exec call in download/integration.py may lead to code injection
8.8 High
CVSS3
Связанные уязвимости
CVSS3: 8.8
nvd
больше 1 года назад
An issue was discovered in llama_index before 0.10.38. download/integration.py includes an exec call for import {cls_name}.
CVSS3: 9.8
github
больше 1 года назад
LlamaIndex includes an exec call for `import {cls_name}`
8.8 High
CVSS3