CVE-2024-23751

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-23751

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-23751.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-23751

Aliases

Published

2024-01-22T01:15:08Z

Modified

2025-02-14T03:21:50Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

LlamaIndex (aka llama_index) through 0.9.34 allows SQL injection via the Text-to-SQL feature in NLSQLTableQueryEngine, SQLTableRetrieverQueryEngine, NLSQLRetriever, RetrieverQueryEngine, and PGVectorSQLQueryEngine. For example, an attacker might be able to delete this year's student records via "Drop the Students table" within English language input.

References

https://github.com/run-llama/llama_index/issues/9957

Affected packages

Git / github.com/run-llama/llama_index

Affected ranges

Type: GIT
Repo: https://github.com/run-llama/llama_index
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

7da2d14c048da63bed2defe169cae56ad12289ce