Arbitrary Code Execution Vulnerability in llama_index's exec_utils
CVE-2024-3098

9.8CRITICAL

Key Information:

Vendor: Run-llama
Status: Run-llama/llama Index
Vendor: CVE Published:; 10 April 2024

What is CVE-2024-3098?

A vulnerability exists in the exec_utils class of the llama_index package, particularly within the safe_eval function. This flaw allows for prompt injection, enabling attackers to execute arbitrary code on affected systems. The root cause lies in inadequate validation of user input, which can be exploited to circumvent access controls and run unauthorized commands. This vulnerability is an advancement of a previously addressed issue, providing a means to create files on the system through proof-of-concept exploits.

Affected Version(s)

run-llama/llama_index < 0.10.24

References

https://huntr.com/bounties/1bce0d61-ad03-4b22-bc32-8f99f9...

https://github.com/run-llama/llama_index/commit/5fbcb5a8b...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 10, 2024
Vulnerability Reserved
Mar 29, 2024

Run-llama

What is CVE-2024-3098?

Affected Version(s)

References

CVSS V3.1

Timeline