CVE-2024-23751
Published Jan 22, 2024
Last updated 10 months ago
Overview
- Description
- LlamaIndex (aka llama_index) through 0.9.34 allows SQL injection via the Text-to-SQL feature in NLSQLTableQueryEngine, SQLTableRetrieverQueryEngine, NLSQLRetriever, RetrieverQueryEngine, and PGVectorSQLQueryEngine. For example, an attacker might be able to delete this year's student records via "Drop the Students table" within English language input.
- Source
- cve@mitre.org
- NVD status
- Analyzed
Social media
- Hype score
- Not currently trending
Risk scores
CVSS 3.1
- Type
- Primary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
Weaknesses
- nvd@nist.gov
- CWE-89
Configurations
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:llamaindex:llamaindex:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "A85457FA-3A68-45F3-9AB7-7E367D18EC67",
"versionEndIncluding": "0.9.34"
}
],
"operator": "OR"
}
]
}
]