Command Injection Vulnerability in JinaAI's RunGpt Framework Could Lead to Full Control Over Client Machines
CVE-2024-4181

8.8HIGH

Key Information:

Vendor: Run-llama
Status: Run-llama/llama Index
Vendor: CVE Published:; 16 May 2024

Summary

A command injection vulnerability exists within the Llama_Index library, particularly in the RunGptLLM class, which is utilized by JinaAI's RunGpt framework. This flaw stems from improper handling of the eval function, potentially enabling a malicious or compromised hosting provider to execute arbitrary commands on the client’s machine. Such exploitation poses a significant risk, potentially allowing the hosting provider to gain full control over client systems. This issue was addressed in Llama_Index version 0.10.13, underscoring the importance of updating to mitigate risks associated with this vulnerability.

Affected Version(s)

run-llama/llama_index < 0.10.13

References

https://huntr.com/bounties/1a204520-598a-434e-b13d-0d34f2...

https://github.com/run-llama/llama_index/commit/d73715eaf...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
May 16, 2024
Vulnerability Reserved
Apr 25, 2024