CVE-2024-12909
SQL Injection vulnerability in llama-index-packs-finchat (PyPI)
What is CVE-2024-12909 About?
This vulnerability is a SQL injection flaw in the `run_sql_query` function of the FinanceChatLlamaPack's `database_agent`. Attackers can inject arbitrary SQL queries, potentially leading to remote code execution (RCE) via PostgreSQL's large object functionality. Exploitation is straightforward for an attacker who can input malicious queries, posing a severe risk.
Affected Software
Technical Details
The vulnerability lies within the database_agent component of the FinanceChatLlamaPack, specifically in the run_sql_query function. This function presumably constructs SQL queries dynamicallly without adequate sanitization or parameterization of user-supplied input. An attacker can inject malicious SQL statements directly into the input provided to this function. The critical aspect leading to Remote Code Execution (RCE) is noted to be through 'PostgreSQL's large object functionality.' This implies that the injected SQL can leverage specific PostgreSQL functions or features related to large objects (e.g., lo_import, lo_export, or pg_postmaster_start_time for path manipulation) to write arbitrary files to the file system or execute system commands, effectively achieving RCE on the database server.
What is the Impact of CVE-2024-12909?
Successful exploitation may allow attackers to execute arbitrary SQL commands, modify or delete database contents, steal sensitive information, or achieve remote code execution on the underlying server.
What is the Exploitability of CVE-2024-12909?
Exploitation is of low complexity. An attacker needs to be able to submit input that is processed by the run_sql_query function within the database_agent. This typically involves direct interaction with the FinanceChatLlamaPack functionality. No specific authentication or privilege requirements are mentioned beyond the ability to interact with the vulnerable component. The vulnerability is remote, as it involves crafting input that is processed by a server-side component. The risk of exploitation is high given the potential for Remote Code Execution through SQL injection, especially if the application exposes the run_sql_query functionality to untrusted users.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-12909?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-x48g-hm9c-ww42
- https://github.com/run-llama/llama_index/commit/5d03c175476452db9b8abcdb7d5767dd7b310a75
- https://huntr.com/bounties/44e8177f-200a-4ba3-a12c-8bc21e313a3f
- https://github.com/run-llama/llama_index
- https://github.com/run-llama/llama_index/tree/stale_packages/llama-index-packs/llama-index-packs-finchat
- https://github.com/run-llama/llama_index/commit/5d03c175476452db9b8abcdb7d5767dd7b310a75
- https://nvd.nist.gov/vuln/detail/CVE-2024-12909
- https://huntr.com/bounties/44e8177f-200a-4ba3-a12c-8bc21e313a3f
What are Similar Vulnerabilities to CVE-2024-12909?
Similar Vulnerabilities: CVE-2024-1597 , CVE-2023-52428 , CVE-2022-21448 , CVE-2021-39225 , CVE-2020-1941
