CVE-2024-0243
Arbitrary Code Execution (ACE) vulnerability in langchain (PyPI)
What is CVE-2024-0243 About?
This ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core allows attackers to execute arbitrary code. It requires compromising an existing logback configuration file or injecting an environment variable. Exploitation relies on existing privilege to modify configuration or inject environment variables.
Affected Software
- langchain
- <0.1.0
- langchain-exa
- <bf0b3cc0b5ade1fb95a5b1b6fa260e99064c2e22
- <0.1.0
Technical Details
The vulnerability is an Arbitrary Code Execution (ACE) flaw within the 'JaninoEventEvaluator' component of 'QOS.CH logback-core' up to version 1.5.12. This component allows dynamic expression evaluation using Janino. An attacker can achieve arbitrary code execution by either: 1) gaining write access to an existing 'logback' configuration file and injecting malicious code into it, or 2) injecting a malicious environment variable that points to a controlled malicious 'logback' configuration file before the application starts. In both cases, when 'logback' initializes and processes the malicious configuration, the 'JaninoEventEvaluator' will execute the injected code, compromising the application process.
What is the Impact of CVE-2024-0243?
Successful exploitation may allow attackers to execute arbitrary commands, take full control of the affected system, or deploy malware.
What is the Exploitability of CVE-2024-0243?
Exploitation requires the attacker to have existing privileges to either modify a 'logback' configuration file or inject environment variables prior to program execution. This means a prior compromise or specific access is needed, making the complexity moderate to high. No authentication is directly involved in the exploitation of this component, but prior access is a prerequisite. This is typically a local exploitation scenario, as it requires direct interaction with the system's configuration or environment. The risk factors include lax file permissions on configuration files or vulnerabilities allowing environment variable injection.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-0243?
Available Upgrade Options
- langchain-exa
- <0.1.0 → Upgrade to 0.1.0
- langchain-exa
- <bf0b3cc0b5ade1fb95a5b1b6fa260e99064c2e22 → Upgrade to bf0b3cc0b5ade1fb95a5b1b6fa260e99064c2e22
- langchain
- <0.1.0 → Upgrade to 0.1.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/PYSEC-2024-235
- https://github.com/langchain-ai/langchain/blob/bf0b3cc0b5ade1fb95a5b1b6fa260e99064c2e22/libs/community/langchain_community/document_loaders/recursive_url_loader.py#L51-L51
- https://huntr.com/bounties/370904e7-10ac-40a4-a8d4-e2d16e1ca861
- https://github.com/langchain-ai/langchain/pull/15559
- https://github.com/langchain-ai/langchain/commit/bf0b3cc0b5ade1fb95a5b1b6fa260e99064c2e22
- https://github.com/langchain-ai/langchain/pull/15559
- https://github.com/langchain-ai/langchain/commit/bf0b3cc0b5ade1fb95a5b1b6fa260e99064c2e22
- https://huntr.com/bounties/370904e7-10ac-40a4-a8d4-e2d16e1ca861
- https://github.com/pypa/advisory-database/tree/main/vulns/langchain-exa/PYSEC-2024-235.yaml
- https://nvd.nist.gov/vuln/detail/CVE-2024-0243
What are Similar Vulnerabilities to CVE-2024-0243?
Similar Vulnerabilities: CVE-2023-46604 , CVE-2023-50164 , CVE-2023-38035 , CVE-2023-36830 , CVE-2023-35805
