Llamaindex
CVE-2024-45201
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (mitre) · only source for this CVE.
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
An issue was discovered in llama_index before 0.10.38. download/integration.py includes an exec call for import {cls_name}.
AnalysisAI
An issue was discovered in llama_index before 0.10.38. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Code Injection (CWE-94), which allows attackers to inject and execute arbitrary code within the application. An issue was discovered in llama_index before 0.10.38. download/integration.py includes an exec call for import {cls_name}. Affected products include: Llamaindex. Version information: before 0.10.38..
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Never evaluate user-controlled input as code. Use sandboxing, disable dangerous functions, apply strict input validation.
More in Llamaindex
View allA SQL injection vulnerability exists in the `duckdb_retriever` component of the run-llama/llama_index repository, specif
A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for
SQL injection in llama_index DuckDB vector store v0.12.19. PoC and patch available.
Critical SQL injection vulnerability affecting run-llama/llama_index v0.12.21 and potentially other versions, present in
A command injection vulnerability exists in the run-llama/llama_index repository, specifically within the safe_eval func
LlamaIndex (aka llama_index) through 0.9.34 allows SQL injection via the Text-to-SQL feature in NLSQLTableQueryEngine, S
An issue in llama_index v.0.7.13 and before allows a remote attacker to execute arbitrary code via the `exec` parameter
A command injection vulnerability exists in the RunGptLLM class of the llama_index library, version 0.9.47, used by the
Denial-of-service in LlamaIndex (run-llama/llama_index) versions up to and including 0.12.2 lets remote unauthenticated
Arbitrary code execution in LlamaIndex (run-llama/llama_index) versions up to and including 0.11.6 occurs when BGEM3Inde
A critical deserialization vulnerability exists in the run-llama/llama_index library's JsonPickleSerializer component, a
A Denial of Service (DoS) vulnerability has been identified in the KnowledgeBaseWebReader class of the run-llama/llama_i
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today