CVE-2023-39660 — pandasai vulnerable to prompt injection

Description

An issue in Gaberiele Venturi pandasai v.0.8.0 and before allows a remote attacker to execute arbitrary code via a crafted request to the prompt function.

How to fix CVE-2023-39660

To remediate CVE-2023-39660, upgrade the affected package to a fixed version below.

PyPI/pandasai—upgrade to 0.8.1 or later

Is CVE-2023-39660 being exploited?

Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 0.8.1

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-39660
PATCHgithub.com/gventuri/pandas-ai
WEBgithub.com/gventuri/pandas-ai/commit/3aac79be8fc1d18b53d66a566adddbbdd2b38ad5
WEBgithub.com/gventuri/pandas-ai/issues/399
WEB