Cradicle Explorer

/ data / vuln / langchain / CVE-2024-2057.yaml
CVE-2024-2057.yaml
 1  info:
 2    name: langchain
 3    cve: CVE-2024-2057
 4    summary: LangChain的load_local函数存在服务器端请求伪造漏洞
 5    details: 在Harrison Chase LangChain 0.1.9版本中发现了一个漏洞，该漏洞影响了库libs/community/langchain_community/retrievers/tfidf.py中的load_local函数。该漏洞可导致服务器端请求伪造，攻击者可以远程发起攻击。此漏洞的标识符为VDB-255372。
 6    cvss: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
 7    severity: CRITICAL
 8    security_advise: 升级到LangChain的最新版本以解决此问题，确保及时应用所有安全补丁。
 9  rule: version < "0.1.9"
10  references:
11   - https://nvd.nist.gov/vuln/detail/CVE-2024-2057
12   - https://github.com/langchain-ai/langchain/pull/18695
13   - https://github.com/bayuncao/vul-cve-16
14   - https://github.com/bayuncao/vul-cve-16/tree/main/PoC.pkl
15   - https://vuldb.com/?ctiid.255372
16   - https://vuldb.com/?id.255372