CVE-2023-39631.yaml
1 info: 2 name: langchain 3 cve: CVE-2023-39631 4 summary: Langchain vulnerable to arbitrary code execution via the evaluate function in the numexpr library 5 details: | 6 An issue in LanChain-ai Langchain v.0.0.245 allows a remote attacker to execute arbitrary code via the evaluate function in the numexpr library. 7 Patches: Released in v.0.0.308. numexpr dependency is optional for langchain. 8 cvss: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 9 severity: CRITICAL 10 security_advise: | 11 1. Upgrade to langchain>=0.0.308 12 2. Ensure numexpr is updated to version 2.8.5 or higher if used 13 rule: version < "0.0.308" 14 references: 15 - https://nvd.nist.gov/vuln/detail/CVE-2023-39631 16 - https://github.com/langchain-ai/langchain/issues/8363 17 - https://github.com/pydata/numexpr/issues/442 18 - https://github.com/langchain-ai/langchain/pull/11302 19 - https://github.com/pydata/numexpr/commit/4b2d89cf14e75030d27629925b9998e1e91d23c7 20 - https://github.com/langchain-ai/langchain 21 - https://github.com/langchain-ai/langchain/releases/tag/v0.0.308 22 - https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-162.yaml 23 - https://github.com/pypa/advisory-database/tree/main/vulns/numexpr/PYSEC-2023-163.yaml