CVE-2024-3098

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-3098
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-3098.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-3098
Aliases
Published
2024-04-10T17:15:56.213Z
Modified
2026-03-14T12:30:43.110176Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

A vulnerability was identified in the exec_utils class of the llama_index package, specifically within the safe_eval function, allowing for prompt injection leading to arbitrary code execution. This issue arises due to insufficient validation of input, which can be exploited to bypass method restrictions and execute unauthorized code. The vulnerability is a bypass of the previously addressed CVE-2023-39662, demonstrated through a proof of concept that creates a file on the system by exploiting the flaw.

References

Affected packages

Git / github.com/run-llama/llama_index

Affected ranges

Type
GIT
Repo
https://github.com/run-llama/llama_index
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
5fbcb5a8b9f20f81b791c7fc8849e352613ab475
Type
GIT
Repo
https://github.com/run-llama/llama_index
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
5fbcb5a8b9f20f81b791c7fc8849e352613ab475

Database specific

unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "a"
            }
        ]
    }
]
source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-3098.json"