GHSA-v8vj-cv27-hjv8
Suggest an improvement- Source
- https://github.com/advisories/GHSA-v8vj-cv27-hjv8
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-v8vj-cv27-hjv8/GHSA-v8vj-cv27-hjv8.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-v8vj-cv27-hjv8
- Aliases
- Published
- 2024-02-26T18:30:31Z
- Modified
- 2024-08-06T18:48:26.961334Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- LangChain Experimental vulnerable to arbitrary code execution
- Details
-
langchain_experimental (aka LangChain Experimental) before 0.0.52, part of LangChain before 0.1.8, allows an attacker to bypass the CVE-2023-44467 fix and execute arbitrary code via the
__import__,__subclasses__,__builtins__,__globals__,__getattribute__,__bases__,__mro__, or__base__attribute in Python code. These are not prohibited bypal_chain/base.py. - Database specific
{ "nvd_published_at": "2024-02-26T16:28:00Z", "cwe_ids": [ "CWE-749" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2024-02-26T21:00:12Z" }- References
Affected packages
PyPI / langchain-experimental
Package
- Name
- langchain-experimental
- View open source insights on deps.dev
- Purl
- pkg:pypi/langchain-experimental
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.0.52
Affected versions
0.*
0.0.1rc1
0.0.1rc2
0.0.1rc3
0.0.1rc4
0.0.1
0.0.2
0.0.3
0.0.4
0.0.5
0.0.6
0.0.7
0.0.8
0.0.9
0.0.10
0.0.11
0.0.12
0.0.13
0.0.14
0.0.15
0.0.16
0.0.17
0.0.18
0.0.19
0.0.20
0.0.21
0.0.22
0.0.23
0.0.24
0.0.25
0.0.27
0.0.28
0.0.29
0.0.30
0.0.31
0.0.32
0.0.33
0.0.34
0.0.35
0.0.36
0.0.37
0.0.38
0.0.39
0.0.40
0.0.41
0.0.42
0.0.43
0.0.44
0.0.45
0.0.46
0.0.47
0.0.48
0.0.49
0.0.50
0.0.51