CVE-2024-12909

Description

A vulnerability in the FinanceChatLlamaPack of the llama-index-packs-finchat package, versions up to v0.3.0, allows for SQL injection in the `run_sql_query` function of the `database_agent`. This vulnerability can be exploited by an attacker to inject arbitrary SQL queries, leading to remote code execution (RCE) through the use of PostgreSQL's large object functionality. The issue is resolved by no longer officially supporting the package and moving it into the `stale_packages` branch on the repo, this removing it from documentation etc.

How to fix CVE-2024-12909

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

• —no fix listed

Is CVE-2024-12909 being exploited?

Low — EPSS is 4.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, <= 0.3.0

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-12909
• PATCHgithub.com/run-llama/llama_index
• WEBgithub.com/run-llama/llama_index/commit/5d03c175476452db9b8abcdb7d5767dd7b310a75
• WEBgithub.com/run-llama/llama_index/tree/stale_packages/llama-index-packs/llama-index-packs-finchat