Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1nampyLTYzeDQtdjhjcc4AA2Tu
langchain_experimental vulnerable to arbitrary code execution via PALChain in the python exec method
langchain_experimental 0.0.14 allows an attacker to bypass the CVE-2023-36258 fix and execute arbitrary code via the PALChain in the python exec method.
Permalink: https://github.com/advisories/GHSA-gjjr-63x4-v8cqJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nampyLTYzeDQtdjhjcc4AA2Tu
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 7 months ago
Updated: 2 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-gjjr-63x4-v8cq, CVE-2023-44467
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-44467
- https://github.com/langchain-ai/langchain/commit/4c97a10bd0d9385cfee234a63b5bd826a295e483
- https://github.com/langchain-ai/langchain/pull/11233
- https://github.com/pypa/advisory-database/tree/main/vulns/langchain-experimental/PYSEC-2023-194.yaml
- https://pypi.org/project/langchain-experimental/0.0.14
- https://github.com/advisories/GHSA-gjjr-63x4-v8cq
Blast Radius: 22.7
Affected Packages
pypi:langchain-experimental
Dependent packages: 18Dependent repositories: 208
Downloads: 446,146 last month
Affected Version Ranges: <= 0.0.14
No known fixed version
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 0.0.9, 0.0.10, 0.0.11, 0.0.12, 0.0.13, 0.0.14