CVE-2024-3271 — llama-index-core Command Injection vulnerability

Description

A command injection vulnerability exists in the run-llama/llama_index repository, specifically within the safe_eval function. Attackers can bypass the intended security mechanism, which checks for the presence of underscores in code generated by LLM, to execute arbitrary code. This is achieved by crafting input that does not contain an underscore but still results in the execution of OS commands. The vulnerability allows for remote code execution (RCE) on the server hosting the application.

How to fix CVE-2024-3271

To remediate CVE-2024-3271, upgrade the affected package to a fixed version below.

—upgrade to 0.10.24 or later

Is CVE-2024-3271 being exploited?

Low — EPSS is 1.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 0.10.24

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-3271
PATCHgithub.com/run-llama/llama_index
WEBgithub.com/run-llama/llama_index/commit/2c92e88838a5f481d50840240b1dd3180066c6f5
WEBgithub.com/run-llama/llama_index/commit/5fbcb5a8b9f20f81b791c7fc8849e352613ab475