{"id":"GHSA-2xxc-73fv-36f7","summary":"llama-index vulnerable to arbitrary code execution","details":"An issue in llama_index v.0.7.13 and before allows a remote attacker to execute arbitrary code via the `exec` parameter in PandasQueryEngine function.","aliases":["CVE-2023-39662","PYSEC-2023-148"],"modified":"2024-09-30T16:44:07.061189Z","published":"2023-08-15T18:31:32Z","database_specific":{"severity":"CRITICAL","github_reviewed":true,"nvd_published_at":"2023-08-15T17:15:13Z","github_reviewed_at":"2023-08-15T21:23:47Z","cwe_ids":["CWE-74","CWE-94"]},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-39662"},{"type":"WEB","url":"https://github.com/jerryjliu/llama_index/issues/7054"},{"type":"WEB","url":"https://github.com/run-llama/llama_index/commit/9f3e50a803f519af9ab62e63d413441c43001d81"},{"type":"WEB","url":"https://github.com/run-llama/llama_index/commit/aa6726706476e0f957a8d57a5ca89e519e93bad7"},{"type":"PACKAGE","url":"https://github.com/jerryjliu/llama_index"},{"type":"WEB","url":"https://github.com/pypa/advisory-database/tree/main/vulns/llama-index/PYSEC-2023-148.yaml"}],"affected":[{"package":{"name":"llama-index","ecosystem":"PyPI","purl":"pkg:pypi/llama-index"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.9.14"}]}],"versions":["0.4.10","0.4.11","0.4.12","0.4.13","0.4.14","0.4.15","0.4.16","0.4.17","0.4.18","0.4.19","0.4.20","0.4.21","0.4.22","0.4.22.post1","0.4.23","0.4.24","0.4.25","0.4.26","0.4.27","0.4.28","0.4.29","0.4.30","0.4.31","0.4.32","0.4.33","0.4.34","0.4.35","0.4.35.post1","0.4.36","0.4.37","0.4.38","0.4.39","0.4.4","0.4.4.post1","0.4.4.post2","0.4.40","0.4.5","0.4.6","0.4.7","0.4.8","0.4.9","0.5.0","0.5.1","0.5.10","0.5.11","0.5.12","0.5.13","0.5.13.post1","0.5.15","0.5.16","0.5.17","0.5.17.post1","0.5.18","0.5.19","0.5.2","0.5.20","0.5.21","0.5.22","0.5.23","0.5.23.post1","0.5.25","0.5.26","0.5.27","0.5.3","0.5.4","0.5.5","0.5.6","0.5.7","0.5.8","0.5.9","0.6.0","0.6.0a1","0.6.0a2","0.6.0a3","0.6.0a4","0.6.0a5","0.6.0a6","0.6.0a7","0.6.1","0.6.10","0.6.10.post1","0.6.11","0.6.12","0.6.13","0.6.14","0.6.15","0.6.16","0.6.16.post1","0.6.17","0.6.18","0.6.19","0.6.2","0.6.20","0.6.21.post1","0.6.22","0.6.23","0.6.24","0.6.25","0.6.25.post1","0.6.26","0.6.27","0.6.28","0.6.29","0.6.30","0.6.31","0.6.32","0.6.33","0.6.34","0.6.34.post1","0.6.35","0.6.36","0.6.37","0.6.38","0.6.38.post1","0.6.4","0.6.5","0.6.6","0.6.7","0.6.8","0.6.9","0.7.0","0.7.1","0.7.10","0.7.10.post1","0.7.11","0.7.11.post1","0.7.12","0.7.13","0.7.14","0.7.15","0.7.16","0.7.17","0.7.18","0.7.19","0.7.2","0.7.20","0.7.21","0.7.22","0.7.23","0.7.24.post1","0.7.3","0.7.4","0.7.5","0.7.6","0.7.7","0.7.8","0.7.9","0.8.0","0.8.1","0.8.1.post1","0.8.10","0.8.10.post1","0.8.11","0.8.11.post1","0.8.11.post2","0.8.11.post3","0.8.12","0.8.13","0.8.14","0.8.15","0.8.16","0.8.17","0.8.18","0.8.19","0.8.2","0.8.2.post1","0.8.20","0.8.21","0.8.22","0.8.23","0.8.23.post1","0.8.24","0.8.24.post1","0.8.25","0.8.26","0.8.26.post1","0.8.27","0.8.28","0.8.28a1","0.8.29","0.8.29.post1","0.8.3","0.8.30","0.8.31","0.8.32","0.8.33","0.8.34","0.8.35","0.8.36","0.8.37","0.8.38","0.8.39","0.8.39.post2","0.8.4","0.8.40","0.8.41","0.8.42","0.8.43","0.8.43.post1","0.8.44","0.8.45","0.8.45.post1","0.8.46","0.8.47","0.8.48","0.8.49","0.8.5","0.8.5.post1","0.8.5.post2","0.8.50","0.8.51","0.8.51.post1","0.8.52","0.8.53","0.8.53.post3","0.8.54","0.8.55","0.8.56","0.8.57","0.8.58","0.8.59","0.8.6","0.8.61","0.8.62","0.8.63.post1","0.8.63.post2","0.8.64","0.8.64.post1","0.8.65","0.8.66","0.8.67","0.8.68","0.8.69","0.8.69.post1","0.8.69.post2","0.8.7","0.8.8","0.8.9","0.9.0","0.9.0.post1","0.9.0a1","0.9.0a2","0.9.0a3","0.9.1","0.9.10","0.9.10a1","0.9.10a2","0.9.11","0.9.11.post1","0.9.12","0.9.12a1","0.9.12a2","0.9.12a3","0.9.12a4","0.9.12a5","0.9.12a6","0.9.13","0.9.2","0.9.3","0.9.3.post1","0.9.4","0.9.5","0.9.6","0.9.6.post1","0.9.6.post2","0.9.7","0.9.8","0.9.8.post1","0.9.9"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-2xxc-73fv-36f7/GHSA-2xxc-73fv-36f7.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}