Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS0zMzlyLWNqdjkteDc4Z84ABFsu

Critical EPSS: 0.00305% (0.53276 Percentile) EPSS:
Permalink JSON

LlamaIndex Retrievers Integration: DuckDBRetriever SQL Injection

Affected Packages Affected Versions Fixed Versions
pypi:llama-index-retrievers-duckdb-retriever < 0.4.0 0.4.0
0 Dependent packages
0 Dependent repositories
68 Downloads last month

Affected Version Ranges

All affected versions

0.1.4, 0.2.0, 0.3.0

All unaffected versions

0.4.0

A SQL injection vulnerability exists in the duckdb_retriever component of the run-llama/llama_index repository, specifically in llama-index-retrievers-duckdb-retriever prior to v0.4.0. The vulnerability arises from the construction of SQL queries without using prepared statements, allowing an attacker to inject arbitrary SQL code. This can lead to remote code execution (RCE) by installing the shellfs extension and executing malicious commands.

References:

Identifiers

GHSA-339r-cjv9-x78g

CVE-2024-11958

Risk

Severity

Critical

EPSS

EPSS Percentage: 0.00305

EPSS Percentile: 0.53276

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/run-llama/llama_index

Date and time

Published

4 months ago

Updated

2 months ago

API

JSON