Vulnerabilites related to Sinaptik AI - PandasAI
CVE-2024-12366 (GCVE-0-2024-12366)
Vulnerability from cvelistv5
Published
2025-02-11 12:42
Modified
2025-02-11 19:28
Severity ?
VLAI Severity ?
EPSS score ?
Summary
PandasAI uses an interactive prompt function that is vulnerable to prompt injection and run arbitrary Python code that can lead to Remote Code Execution (RCE) instead of the intended explanation of the natural language processing by the LLM.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Sinaptik AI | PandasAI |
Version: 2.4.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-02-11T13:06:54.549Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/148244"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-12366",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-11T19:27:49.899761Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T19:28:21.551Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PandasAI",
"vendor": "Sinaptik AI",
"versions": [
{
"status": "affected",
"version": "2.4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PandasAI uses an interactive prompt function that is vulnerable to prompt injection and run arbitrary Python code that can lead to Remote Code Execution (RCE) instead of the intended explanation of the natural language processing by the LLM."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T12:42:11.882Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://docs.pandas-ai.com/advanced-security-agent"
},
{
"url": "https://docs.getpanda.ai/v3/privacy-security"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2024-12366",
"x_generator": {
"engine": "VINCE 3.0.11",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2024-12366"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2024-12366",
"datePublished": "2025-02-11T12:42:11.882Z",
"dateReserved": "2024-12-09T14:19:01.050Z",
"dateUpdated": "2025-02-11T19:28:21.551Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}