pysec-2023-162
Vulnerability from pysec
Published
2023-09-01 16:15
Modified
2023-10-04 16:56
Severity ?
Details
An issue in LanChain-ai Langchain v.0.0.245 allows a remote attacker to execute arbitrary code via the evaluate function in the numexpr library.
Impacted products
| Name | purl | langchain | pkg:pypi/langchain |
|---|
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "langchain",
"purl": "pkg:pypi/langchain"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.308"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.0.1",
"0.0.10",
"0.0.100",
"0.0.101",
"0.0.101rc0",
"0.0.102",
"0.0.102rc0",
"0.0.103",
"0.0.104",
"0.0.105",
"0.0.106",
"0.0.107",
"0.0.108",
"0.0.109",
"0.0.11",
"0.0.110",
"0.0.111",
"0.0.112",
"0.0.113",
"0.0.114",
"0.0.115",
"0.0.116",
"0.0.117",
"0.0.118",
"0.0.119",
"0.0.12",
"0.0.120",
"0.0.121",
"0.0.122",
"0.0.123",
"0.0.124",
"0.0.125",
"0.0.126",
"0.0.127",
"0.0.128",
"0.0.129",
"0.0.13",
"0.0.130",
"0.0.131",
"0.0.132",
"0.0.133",
"0.0.134",
"0.0.135",
"0.0.136",
"0.0.137",
"0.0.138",
"0.0.139",
"0.0.14",
"0.0.140",
"0.0.141",
"0.0.142",
"0.0.143",
"0.0.144",
"0.0.145",
"0.0.146",
"0.0.147",
"0.0.148",
"0.0.149",
"0.0.15",
"0.0.150",
"0.0.151",
"0.0.152",
"0.0.153",
"0.0.154",
"0.0.155",
"0.0.156",
"0.0.157",
"0.0.158",
"0.0.159",
"0.0.16",
"0.0.160",
"0.0.161",
"0.0.162",
"0.0.163",
"0.0.164",
"0.0.165",
"0.0.166",
"0.0.167",
"0.0.168",
"0.0.169",
"0.0.17",
"0.0.170",
"0.0.171",
"0.0.172",
"0.0.173",
"0.0.174",
"0.0.175",
"0.0.176",
"0.0.177",
"0.0.178",
"0.0.179",
"0.0.18",
"0.0.180",
"0.0.181",
"0.0.182",
"0.0.183",
"0.0.184",
"0.0.185",
"0.0.186",
"0.0.187",
"0.0.188",
"0.0.189",
"0.0.19",
"0.0.190",
"0.0.191",
"0.0.192",
"0.0.193",
"0.0.194",
"0.0.195",
"0.0.196",
"0.0.197",
"0.0.198",
"0.0.199",
"0.0.2",
"0.0.20",
"0.0.200",
"0.0.201",
"0.0.202",
"0.0.203",
"0.0.204",
"0.0.205",
"0.0.206",
"0.0.207",
"0.0.208",
"0.0.209",
"0.0.21",
"0.0.210",
"0.0.211",
"0.0.212",
"0.0.213",
"0.0.214",
"0.0.215",
"0.0.216",
"0.0.217",
"0.0.218",
"0.0.219",
"0.0.22",
"0.0.220",
"0.0.221",
"0.0.222",
"0.0.223",
"0.0.224",
"0.0.225",
"0.0.226",
"0.0.227",
"0.0.228",
"0.0.229",
"0.0.23",
"0.0.230",
"0.0.231",
"0.0.232",
"0.0.233",
"0.0.234",
"0.0.235",
"0.0.236",
"0.0.237",
"0.0.238",
"0.0.239",
"0.0.24",
"0.0.240",
"0.0.240rc0",
"0.0.240rc1",
"0.0.240rc4",
"0.0.242",
"0.0.243",
"0.0.244",
"0.0.245",
"0.0.246",
"0.0.247",
"0.0.248",
"0.0.249",
"0.0.25",
"0.0.250",
"0.0.251",
"0.0.252",
"0.0.253",
"0.0.254",
"0.0.255",
"0.0.256",
"0.0.257",
"0.0.258",
"0.0.259",
"0.0.26",
"0.0.260",
"0.0.261",
"0.0.262",
"0.0.263",
"0.0.264",
"0.0.265",
"0.0.266",
"0.0.267",
"0.0.268",
"0.0.269",
"0.0.27",
"0.0.270",
"0.0.271",
"0.0.272",
"0.0.273",
"0.0.274",
"0.0.275",
"0.0.276",
"0.0.277",
"0.0.278",
"0.0.279",
"0.0.28",
"0.0.281",
"0.0.29",
"0.0.3",
"0.0.30",
"0.0.31",
"0.0.32",
"0.0.33",
"0.0.34",
"0.0.35",
"0.0.36",
"0.0.37",
"0.0.38",
"0.0.39",
"0.0.4",
"0.0.40",
"0.0.41",
"0.0.42",
"0.0.43",
"0.0.44",
"0.0.45",
"0.0.46",
"0.0.47",
"0.0.48",
"0.0.49",
"0.0.5",
"0.0.50",
"0.0.51",
"0.0.52",
"0.0.53",
"0.0.54",
"0.0.55",
"0.0.56",
"0.0.57",
"0.0.58",
"0.0.59",
"0.0.6",
"0.0.60",
"0.0.61",
"0.0.63",
"0.0.64",
"0.0.65",
"0.0.66",
"0.0.67",
"0.0.68",
"0.0.69",
"0.0.7",
"0.0.70",
"0.0.71",
"0.0.72",
"0.0.73",
"0.0.74",
"0.0.75",
"0.0.76",
"0.0.77",
"0.0.78",
"0.0.79",
"0.0.8",
"0.0.80",
"0.0.81",
"0.0.82",
"0.0.83",
"0.0.84",
"0.0.85",
"0.0.86",
"0.0.87",
"0.0.88",
"0.0.89",
"0.0.9",
"0.0.90",
"0.0.91",
"0.0.92",
"0.0.93",
"0.0.94",
"0.0.95",
"0.0.96",
"0.0.97",
"0.0.98",
"0.0.99",
"0.0.99rc0",
"0.0.283",
"0.0.284",
"0.0.285",
"0.0.286",
"0.0.287",
"0.0.288",
"0.0.289",
"0.0.290",
"0.0.291",
"0.0.292",
"0.0.293",
"0.0.294",
"0.0.295",
"0.0.296",
"0.0.297",
"0.0.298",
"0.0.299",
"0.0.300",
"0.0.301",
"0.0.302",
"0.0.303",
"0.0.304",
"0.0.305",
"0.0.306",
"0.0.307"
]
}
],
"aliases": [
"CVE-2023-39631"
],
"details": "An issue in LanChain-ai Langchain v.0.0.245 allows a remote attacker to execute arbitrary code via the evaluate function in the numexpr library.",
"id": "PYSEC-2023-162",
"modified": "2023-10-04T16:56:57.465474Z",
"published": "2023-09-01T16:15:00Z",
"references": [
{
"type": "EVIDENCE",
"url": "https://github.com/pydata/numexpr/issues/442"
},
{
"type": "REPORT",
"url": "https://github.com/pydata/numexpr/issues/442"
},
{
"type": "FIX",
"url": "https://github.com/pydata/numexpr/issues/442"
},
{
"type": "EVIDENCE",
"url": "https://github.com/langchain-ai/langchain/issues/8363"
},
{
"type": "REPORT",
"url": "https://github.com/langchain-ai/langchain/issues/8363"
},
{
"type": "FIX",
"url": "https://github.com/langchain-ai/langchain/pull/11302"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…