CVE-2024-23751
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
LlamaIndex (aka llama_index) through 0.9.34 allows SQL injection via the Text-to-SQL feature in NLSQLTableQueryEngine, SQLTableRetrieverQueryEngine, NLSQLRetriever, RetrieverQueryEngine, and PGVectorSQLQueryEngine. For example, an attacker might be able to delete this year's student records via "Drop the Students table" within English language input.
LlamaIndex (también conocido como llama_index) hasta 0.9.34 permite la inyección de SQL a través de la función Texto a SQL en NLSQLTableQueryEngine, SQLTableRetrieverQueryEngine, NLSQLRetriever, RetrieverQueryEngine y PGVectorSQLQueryEngine. Por ejemplo, un atacante podría eliminar los registros de los estudiantes de este año mediante "Soltar la tabla de estudiantes" dentro de la entrada en idioma inglés.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2024-01-22 CVE Reserved
- 2024-01-22 CVE Published
- 2024-08-01 CVE Updated
- 2024-08-01 First Exploit
- 2025-02-23 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/run-llama/llama_index/issues/9957 | 2024-08-01 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Llamaindex Search vendor "Llamaindex" | Llamaindex Search vendor "Llamaindex" for product "Llamaindex" | <= 0.9.34 Search vendor "Llamaindex" for product "Llamaindex" and version " <= 0.9.34" | - |
Affected
| ||||||