Exposed Dangerous Method or Function

CVE-2024-27444

High

9.8/10

Summary

langchain_experimental (aka LangChain Experimental) prior to 0.0.52 in LangChain prior to 0.1.8 allows an attacker to bypass the CVE-2023-44467 fix and execute arbitrary code via the "__import__", "__subclasses__", "__builtins__", "__globals__", "__getattribute__", "__bases__", "__mro__", or "__base__" attribute in Python code. These are not prohibited by pal_chain/base.py.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-749 - Exposed Dangerous Method or Function

The software provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.

References

Advisory
Pull request
Release Note

Advisory Timeline

Published Feb 26, 2024

Exposed Dangerous Method or Function

CVE-2024-27444

Summary

CWE-749 - Exposed Dangerous Method or Function

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS