CVE-2024-41950

EPSS 1.57%
Veröffentlicht 31.07.2024 16:15:04
Zuletzt bearbeitet 01.08.2024 12:42:36
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Haystack is an end-to-end LLM framework that allows you to build applications powered by LLMs, Transformer models, vector search and more. Haystack clients that let their users create and run Pipelines from scratch are vulnerable to remote code executions. Certain Components in Haystack use Jinja2 templates, if anyone can create and render that template on the client machine they run any code. The vulnerability has been fixed with Haystack `2.3.1`.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 9

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von Authorized Data Publishers (ADP) (Unstrukturiert)

Herstellerdeepset

≫

Produkt haystack

Default Statusunknown

Version < 2.3.1

Version 0

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.57%	0.811

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.5	1.6	5.9	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine

The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.

https://github.com/deepset-ai/haystack/commit/3fed1366c448b02189851bf08166c1f6477a02b0

https://github.com/deepset-ai/haystack/commit/6c25a5c73e83aa32c3241ba84a5cbb3ac0e8a89e

https://github.com/deepset-ai/haystack/pull/8095

https://github.com/deepset-ai/haystack/pull/8096

https://github.com/deepset-ai/haystack/releases/tag/v2.3.1

https://github.com/deepset-ai/haystack/security/advisories/GHSA-hx9v-6r9f-w677

https://nvd.nist.gov/vuln/detail/CVE-2024-41950

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-41950

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-41950

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-41950