[GHSA-45pg-36p6-83v9] Langchain-Community SQL Injection vulnerability

[eyurtsev]

Updates

• Affected products
• CVSS v3

Comments
langchain is structured as a mono-repo. The vulnurable code has existed only in langchain-community since version 0.2.0 of langchain.

• https://github.com/langchain-ai/langchain/blob/langchain==0.2.0/libs/langchain/langchain/chains/graph_qa/cypher.py#L9

[shelbyc]

@eyurtsev Thanks for the clarification. Just to double check, the affected products and their affected versions should be:

• langchain-community with affected version range < 0.3.0 and fixed version 0.3.0
• langchain with affected version range >= 0.2.0, < 0.3.0 and fixed version 0.3.0
  Are these correct?

[eyurtsev]

Hi @shelbyc,

1. The vulnerable code was moved out of the langchain package at 0.2.0. (so langchain is patched as of 0.2.0)
2. langchain-community got the code in 0.2.0 and was patched at version 0.3.0.

So we'd want the following information:

• langchain with affected version range >= 0.0.0, < 0.2.0, patched as of 0.2.0
• langchain-community with affected version range >=0.2.0, < 0.3.0, patched as of 0.3.0

[advisory-database]

Hi @eyurtsev! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

[shelbyc]

@eyurtsev Thanks for the clarification! I've updated langchain-community to affected version range >= 0.2.0, < 0.3.0 and patched version 0.3.0 and added langchain with affected version range < 0.2.0 and patched version 0.2.0. If I made a mistake anywhere in the update or you see any other issues that need to be addressed, as always, feel free to reach out. 👍