{ "threat_severity" : "Low", "public_date" : "2024-10-29T12:50:13Z", "bugzilla" : { "description" : "langchain: SQL Injection in langchain-ai/langchain", "id" : "2322452", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2322452" }, "cvss3" : { "cvss3_base_score" : "4.9", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "status" : "draft" }, "cwe" : "CWE-89", "details" : [ "A vulnerability in the GraphCypherQAChain class of langchain-ai/langchain version 0.2.5 allows for SQL injection through prompt injection. This vulnerability can lead to unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database.", "A security issue was discovered in the LangChain LLM framework. In certain configurations, an attacker may be able to execute a SQL injection attack via prompt injection. This may lead to exposure of confidential data, data manipulation, or a denial of service." ], "statement" : "Red Hat rates the impact of this vulnerability as low, due to the GraphCypherQAChain class having explicit documentation requiring appropriate RBAC control and the fact that successful exploitation requires having an exposed endpoint that accepts inputs from a user.", "package_state" : [ { "product_name" : "OpenShift Lightspeed", "fix_state" : "Not affected", "package_name" : "openshift-lightspeed-tech-preview/lightspeed-service-api-rhel9", "cpe" : "cpe:/a:redhat:openshift_lightspeed" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "aap-cloud-metrics-collector-container", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-24/de-supported-rhel8", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Fix deferred", "package_name" : "ansible-automation-platform-24/ee-dellemc-openmanage-rhel8", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-24/ee-minimal-rhel9", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-25/ansible-dev-tools-rhel8", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-25/lightspeed-rhel8", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Fix deferred", "package_name" : "ansible-automation-platform-25/platform-resource-runner-rhel8", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Enterprise Linux AI (RHEL AI)", "fix_state" : "Not affected", "package_name" : "rhelai1/bootc-nvidia-rhel9", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:1" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-8309\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-8309\nhttps://api.python.langchain.com/en/latest/chains/langchain.chains.graph_qa.cypher.GraphCypherQAChain.html\nhttps://github.com/langchain-ai/langchain/commit/c2a3021bb0c5f54649d380b42a0684ca5778c255\nhttps://huntr.com/bounties/8f4ad910-7fdc-4089-8f0a-b5df5f32e7c5" ], "name" : "CVE-2024-8309", "csaw" : false }