CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-23751
https://notcve.org/view.php?id=CVE-2024-23751
22 Jan 2024 — LlamaIndex (aka llama_index) through 0.9.34 allows SQL injection via the Text-to-SQL feature in NLSQLTableQueryEngine, SQLTableRetrieverQueryEngine, NLSQLRetriever, RetrieverQueryEngine, and PGVectorSQLQueryEngine. For example, an attacker might be able to delete this year's student records via "Drop the Students table" within English language input. LlamaIndex (también conocido como llama_index) hasta 0.9.34 permite la inyección de SQL a través de la función Texto a SQL en NLSQLTableQueryEngine, SQLTableRe... • https://github.com/run-llama/llama_index/issues/9957 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-39662
https://notcve.org/view.php?id=CVE-2023-39662
15 Aug 2023 — An issue in llama_index v.0.7.13 and before allows a remote attacker to execute arbitrary code via the `exec` parameter in PandasQueryEngine function. Un problema en llama_index v.0.7.13 y anteriores permite a un atacante remoto ejecutar código arbitrario a través del parámetro `exec` en la función PandasQueryEngine. • https://github.com/jerryjliu/llama_index/issues/7054 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •