CVE-2023-36258.yaml
1 info: 2 name: langchain 3 cve: CVE-2023-36258 4 summary: langchain arbitrary code execution vulnerability 5 details: | 6 An issue in langchain allows an attacker to execute arbitrary code via the PALChain in the python exec method. 7 cvss: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 8 severity: CRITICAL 9 security_advise: | 10 1. Upgrade to langchain>=0.0.247 11 2. Review and patch any custom code that interacts with the PALChain in the python exec method 12 3. Monitor for any suspicious activity related to code execution 13 rule: version < "0.0.247" 14 references: 15 - https://nvd.nist.gov/vuln/detail/CVE-2023-36258 16 - https://github.com/langchain-ai/langchain/issues/5872 17 - https://github.com/langchain-ai/langchain/issues/5872#issuecomment-1697785619 18 - https://github.com/langchain-ai/langchain/pull/6003 19 - https://github.com/langchain-ai/langchain/pull/7870 20 - https://github.com/langchain-ai/langchain/pull/8425 21 - https://github.com/langchain-ai/langchain/commit/8ba9835b925473655914f63822775679e03ea137 22 - https://github.com/langchain-ai/langchain/commit/e294ba475a355feb95003ed8f1a2b99942509a9e 23 - https://github.com/langchain-ai/langchain/commit/fab24457bcf8ede882abd11419769c92bc4e7751 24 - https://github.com/hwchase17/langchain 25 - https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-98.yaml