Command Injection Vulnerability in JinaAI's RunGpt Framework Could Lead to Full Control Over Client Machines

CVE-2024-4181

8.8HIGH

Key Information

Vendor: Run-llama
Status: Run-llama/llama Index
Vendor: CVE Published:; 16 May 2024

Summary

A command injection vulnerability exists in the RunGptLLM class of the llama_index library, version 0.9.47, used by the RunGpt framework from JinaAI to connect to Language Learning Models (LLMs). The vulnerability arises from the improper use of the eval function, allowing a malicious or compromised LLM hosting provider to execute arbitrary commands on the client's machine. This issue was fixed in version 0.10.13. The exploitation of this vulnerability could lead to a hosting provider gaining full control over client machines.

Affected Version(s)

run-llama/llama_index < 0.10.13

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Risk change from: null to: 8.8 - (HIGH)
May 16, 2024
Vulnerability published.
May 16, 2024
Vulnerability Reserved.
Apr 25, 2024

Collectors

NVD DatabaseMitre Database