Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[GHSA-45pg-36p6-83v9] Langchain SQL Injection vulnerability #5005

Merged
merged 1 commit into from
Nov 12, 2024
Merged

[GHSA-45pg-36p6-83v9] Langchain SQL Injection vulnerability #5005

merged 1 commit into from
Nov 12, 2024
+6 −6

Conversation

efriis
Copy link

@efriis efriis commented Nov 12, 2024

Updates

  • Affected products
  • CVSS v3
  • References

Comments
v0.2 branch was patched here: langchain-ai/langchain@64c317e

And released as v0.2.19: https://pypi.org/project/langchain-community/0.2.19/

@github-actions github-actions bot changed the base branch from main to efriis/advisory-improvement-5005 November 12, 2024 19:22
efriis
efriis commented Nov 12, 2024
View reviewed changes
advisories/github-reviewed/2024/10/GHSA-45pg-36p6-83v9/GHSA-45pg-36p6-83v9.json
@@ -1,18 +1,14 @@
{
"schema_version": "1.4.0",
"id": "GHSA-45pg-36p6-83v9",
"modified": "2024-11-07T19:23:53Z",
"modified": "2024-11-05T16:58:28Z",
"published": "2024-10-29T15:32:05Z",
"aliases": [
"CVE-2024-8309"
],
"summary": "Langchain SQL Injection vulnerability",
"details": "A vulnerability in the GraphCypherQAChain class of langchain-ai/langchain version 0.2.5 allows for SQL injection through prompt injection. This vulnerability can lead to unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database.",
"severity": [
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this was removed by the tool - should this be added back?

Suggested change
"severity": [
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
},

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't worry! I understand you didn't intend to remove the CVSS_V3 value and kept the value. 👍

dlqqq
dlqqq approved these changes Nov 12, 2024
View reviewed changes
Copy link

@dlqqq dlqqq left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@advisory-database advisory-database bot merged commit 027015c into efriis/advisory-improvement-5005 Nov 12, 2024
2 checks passed
@advisory-database
Copy link
Contributor

Hi @efriis! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

@advisory-database advisory-database bot deleted the efriis-GHSA-45pg-36p6-83v9 branch November 12, 2024 19:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shelbyc shelbyc shelbyc left review comments

@dlqqq dlqqq dlqqq approved these changes

@eyurtsev eyurtsev eyurtsev approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@efriis @eyurtsev @shelbyc @dlqqq