-
Notifications
You must be signed in to change notification settings - Fork 336
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[GHSA-45pg-36p6-83v9] Langchain SQL Injection vulnerability #5005
[GHSA-45pg-36p6-83v9] Langchain SQL Injection vulnerability #5005
Conversation
@@ -1,18 +1,14 @@ | |||
{ | |||
"schema_version": "1.4.0", | |||
"id": "GHSA-45pg-36p6-83v9", | |||
"modified": "2024-11-07T19:23:53Z", | |||
"modified": "2024-11-05T16:58:28Z", | |||
"published": "2024-10-29T15:32:05Z", | |||
"aliases": [ | |||
"CVE-2024-8309" | |||
], | |||
"summary": "Langchain SQL Injection vulnerability", | |||
"details": "A vulnerability in the GraphCypherQAChain class of langchain-ai/langchain version 0.2.5 allows for SQL injection through prompt injection. This vulnerability can lead to unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database.", | |||
"severity": [ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this was removed by the tool - should this be added back?
"severity": [ | |
"severity": [ | |
{ | |
"type": "CVSS_V3", | |
"score": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" | |
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't worry! I understand you didn't intend to remove the CVSS_V3
value and kept the value. 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
027015c
into
efriis/advisory-improvement-5005
Hi @efriis! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
Updates
Comments
v0.2 branch was patched here: langchain-ai/langchain@64c317e
And released as v0.2.19: https://pypi.org/project/langchain-community/0.2.19/