rtdip_sdk-0.10.1-py3-none-any.whl: 9 vulnerabilities (highest severity is: 9.8) - autoclosed

[mend-bolt-for-github]

Vulnerable Library - rtdip_sdk-0.10.1-py3-none-any.whl

Path to dependency file: /tmp/ws-ua_20240301164043_TMWBFH/cmd_RBNNCT/20240301164618/.ws-temp-WNWIOL-requirements.txt

Path to vulnerable library: /tmp/ws-ua_20240301164043_TMWBFH/cmd_RBNNCT/20240301164618/.ws-temp-WNWIOL-requirements.txt

Found in HEAD commit: 33965cb8afaead2dba68b8c2ba100b9c291ed21e

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (rtdip_sdk version)	Remediation Possible**
CVE-2024-27444	Critical	9.8	langchain-0.0.291-py3-none-any.whl	Transitive	0.10.4	❌
CVE-2023-39659	Critical	9.8	langchain-0.0.291-py3-none-any.whl	Transitive	0.10.4	❌
CVE-2023-39631	Critical	9.8	langchain-0.0.291-py3-none-any.whl	Transitive	0.10.4	❌
CVE-2023-36281	Critical	9.8	langchain-0.0.291-py3-none-any.whl	Transitive	0.10.4	❌
CVE-2023-46229	High	8.8	langchain-0.0.291-py3-none-any.whl	Transitive	0.10.4	❌
CVE-2024-28088	High	7.3	langchain-0.0.291-py3-none-any.whl	Transitive	N/A*	❌
CVE-2024-2057	Medium	6.3	langchain-0.0.291-py3-none-any.whl	Transitive	N/A*	❌
CVE-2024-22195	Medium	6.1	Jinja2-3.1.2-py3-none-any.whl	Transitive	N/A*	❌
CVE-2024-0243	Low	3.7	langchain-0.0.291-py3-none-any.whl	Transitive	0.10.4	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-27444

Vulnerable Library - langchain-0.0.291-py3-none-any.whl

Building applications with LLMs through composability

Library home page: https://files.pythonhosted.org/packages/58/e7/b2e5e3b4255166183f83f470e12bc65fb6136d8e6c6b03494edfb3257ea1/langchain-0.0.291-py3-none-any.whl

Path to dependency file: /tmp/ws-ua_20240301164043_TMWBFH/cmd_RBNNCT/20240301164618/.ws-temp-WNWIOL-requirements.txt

Path to vulnerable library: /tmp/ws-ua_20240301164043_TMWBFH/cmd_RBNNCT/20240301164618/.ws-temp-WNWIOL-requirements.txt

Dependency Hierarchy:

• rtdip_sdk-0.10.1-py3-none-any.whl (Root Library)
  • ❌ langchain-0.0.291-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 33965cb8afaead2dba68b8c2ba100b9c291ed21e

Found in base branch: main

Vulnerability Details

langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-44467 fix and execute arbitrary code via the import, subclasses, builtins, globals, getattribute, bases, mro, or base attribute in Python code. These are not prohibited by pal_chain/base.py.

Publish Date: 2024-02-26

URL: CVE-2024-27444

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-27444

Release Date: 2024-02-26

Fix Resolution (langchain): 0.1.8

Direct dependency fix Resolution (rtdip-sdk): 0.10.4

Step up your Open Source Security Game with Mend here

CVE-2023-39659

Vulnerable Library - langchain-0.0.291-py3-none-any.whl

Building applications with LLMs through composability

Library home page: https://files.pythonhosted.org/packages/58/e7/b2e5e3b4255166183f83f470e12bc65fb6136d8e6c6b03494edfb3257ea1/langchain-0.0.291-py3-none-any.whl

Path to dependency file: /tmp/ws-ua_20240301164043_TMWBFH/cmd_RBNNCT/20240301164618/.ws-temp-WNWIOL-requirements.txt

Path to vulnerable library: /tmp/ws-ua_20240301164043_TMWBFH/cmd_RBNNCT/20240301164618/.ws-temp-WNWIOL-requirements.txt

Dependency Hierarchy:

• rtdip_sdk-0.10.1-py3-none-any.whl (Root Library)
  • ❌ langchain-0.0.291-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 33965cb8afaead2dba68b8c2ba100b9c291ed21e

Found in base branch: main

Vulnerability Details

An issue in langchain langchain-ai v.0.0.232 and before allows a remote attacker to execute arbitrary code via a crafted script to the PythonAstREPLTool._run component.

Publish Date: 2023-08-15

URL: CVE-2023-39659

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-prgp-w7vf-ch62

Release Date: 2023-08-15

Fix Resolution (langchain): 0.0.325

Direct dependency fix Resolution (rtdip-sdk): 0.10.4

Step up your Open Source Security Game with Mend here

CVE-2023-39631

Vulnerable Library - langchain-0.0.291-py3-none-any.whl

Building applications with LLMs through composability

Library home page: https://files.pythonhosted.org/packages/58/e7/b2e5e3b4255166183f83f470e12bc65fb6136d8e6c6b03494edfb3257ea1/langchain-0.0.291-py3-none-any.whl

Path to dependency file: /tmp/ws-ua_20240301164043_TMWBFH/cmd_RBNNCT/20240301164618/.ws-temp-WNWIOL-requirements.txt

Path to vulnerable library: /tmp/ws-ua_20240301164043_TMWBFH/cmd_RBNNCT/20240301164618/.ws-temp-WNWIOL-requirements.txt

Dependency Hierarchy:

• rtdip_sdk-0.10.1-py3-none-any.whl (Root Library)
  • ❌ langchain-0.0.291-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 33965cb8afaead2dba68b8c2ba100b9c291ed21e

Found in base branch: main

Vulnerability Details

An issue in LanChain-ai Langchain v.0.0.245 allows a remote attacker to execute arbitrary code via the evaluate function in the numexpr library.

Publish Date: 2023-09-01

URL: CVE-2023-39631

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-f73w-4m7g-ch9x

Release Date: 2023-09-01

Fix Resolution (langchain): 0.0.308

Direct dependency fix Resolution (rtdip-sdk): 0.10.4

Step up your Open Source Security Game with Mend here

CVE-2023-36281

Vulnerable Library - langchain-0.0.291-py3-none-any.whl

Building applications with LLMs through composability

Library home page: https://files.pythonhosted.org/packages/58/e7/b2e5e3b4255166183f83f470e12bc65fb6136d8e6c6b03494edfb3257ea1/langchain-0.0.291-py3-none-any.whl

Path to dependency file: /tmp/ws-ua_20240301164043_TMWBFH/cmd_RBNNCT/20240301164618/.ws-temp-WNWIOL-requirements.txt

Path to vulnerable library: /tmp/ws-ua_20240301164043_TMWBFH/cmd_RBNNCT/20240301164618/.ws-temp-WNWIOL-requirements.txt

Dependency Hierarchy:

• rtdip_sdk-0.10.1-py3-none-any.whl (Root Library)
  • ❌ langchain-0.0.291-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 33965cb8afaead2dba68b8c2ba100b9c291ed21e

Found in base branch: main

Vulnerability Details

An issue in langchain v.0.0.171 allows a remote attacker to execute arbitrary code via a JSON file to load_prompt. This is related to subclasses or a template.

Publish Date: 2023-08-22

URL: CVE-2023-36281

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-7gfq-f96f-g85j

Release Date: 2023-08-22

Fix Resolution (langchain): 0.0.312

Direct dependency fix Resolution (rtdip-sdk): 0.10.4

Step up your Open Source Security Game with Mend here

CVE-2023-46229

Vulnerable Library - langchain-0.0.291-py3-none-any.whl

Building applications with LLMs through composability

Library home page: https://files.pythonhosted.org/packages/58/e7/b2e5e3b4255166183f83f470e12bc65fb6136d8e6c6b03494edfb3257ea1/langchain-0.0.291-py3-none-any.whl

Path to dependency file: /tmp/ws-ua_20240301164043_TMWBFH/cmd_RBNNCT/20240301164618/.ws-temp-WNWIOL-requirements.txt

Path to vulnerable library: /tmp/ws-ua_20240301164043_TMWBFH/cmd_RBNNCT/20240301164618/.ws-temp-WNWIOL-requirements.txt

Dependency Hierarchy:

• rtdip_sdk-0.10.1-py3-none-any.whl (Root Library)
  • ❌ langchain-0.0.291-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 33965cb8afaead2dba68b8c2ba100b9c291ed21e

Found in base branch: main

Vulnerability Details

LangChain before 0.0.317 allows SSRF via document_loaders/recursive_url_loader.py because crawling can proceed from an external server to an internal server.

Publish Date: 2023-10-19

URL: CVE-2023-46229

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2023-10-19

Fix Resolution (langchain): 0.0.317

Direct dependency fix Resolution (rtdip-sdk): 0.10.4

Step up your Open Source Security Game with Mend here

CVE-2024-28088

Vulnerable Library - langchain-0.0.291-py3-none-any.whl

Building applications with LLMs through composability

Library home page: https://files.pythonhosted.org/packages/58/e7/b2e5e3b4255166183f83f470e12bc65fb6136d8e6c6b03494edfb3257ea1/langchain-0.0.291-py3-none-any.whl

Path to dependency file: /tmp/ws-ua_20240301164043_TMWBFH/cmd_RBNNCT/20240301164618/.ws-temp-WNWIOL-requirements.txt

Path to vulnerable library: /tmp/ws-ua_20240301164043_TMWBFH/cmd_RBNNCT/20240301164618/.ws-temp-WNWIOL-requirements.txt

Dependency Hierarchy:

• rtdip_sdk-0.10.1-py3-none-any.whl (Root Library)
  • ❌ langchain-0.0.291-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 33965cb8afaead2dba68b8c2ba100b9c291ed21e

Found in base branch: main

Vulnerability Details

LangChain through 0.1.10 allows ../ directory traversal by an actor who is able to control the final part of the path parameter in a load_chain call. This bypasses the intended behavior of loading configurations only from the hwchase17/langchain-hub GitHub repository. The outcome can be disclosure of an API key for a large language model online service, or remote code execution. (A patch is available as of release 0.1.29 of langchain-core.)

Publish Date: 2024-03-04

URL: CVE-2024-28088

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2024-03-04

Fix Resolution: langchain - 0.1.12

Step up your Open Source Security Game with Mend here

CVE-2024-2057

Vulnerable Library - langchain-0.0.291-py3-none-any.whl

Building applications with LLMs through composability

Library home page: https://files.pythonhosted.org/packages/58/e7/b2e5e3b4255166183f83f470e12bc65fb6136d8e6c6b03494edfb3257ea1/langchain-0.0.291-py3-none-any.whl

Path to dependency file: /tmp/ws-ua_20240301164043_TMWBFH/cmd_RBNNCT/20240301164618/.ws-temp-WNWIOL-requirements.txt

Path to vulnerable library: /tmp/ws-ua_20240301164043_TMWBFH/cmd_RBNNCT/20240301164618/.ws-temp-WNWIOL-requirements.txt

Dependency Hierarchy:

• rtdip_sdk-0.10.1-py3-none-any.whl (Root Library)
  • ❌ langchain-0.0.291-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 33965cb8afaead2dba68b8c2ba100b9c291ed21e

Found in base branch: main

Vulnerability Details

A vulnerability was found in Harrison Chase LangChain 0.1.9. It has been classified as critical. Affected is the function load_local in the library libs/community/langchain_community/retrievers/tfidf.py. The manipulation leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-255372.

Publish Date: 2024-03-01

URL: CVE-2024-2057

CVSS 3 Score Details (6.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2024-03-01

Fix Resolution: langchain - 0.1.12

Step up your Open Source Security Game with Mend here

CVE-2024-22195

Vulnerable Library - Jinja2-3.1.2-py3-none-any.whl

A very fast and expressive template engine.

Library home page: https://files.pythonhosted.org/packages/bc/c3/f068337a370801f372f2f8f6bad74a5c140f6fda3d9de154052708dd3c65/Jinja2-3.1.2-py3-none-any.whl

Path to dependency file: /tmp/ws-ua_20231205110316_YZEJLS/cmd_GBLXLB/20231205111657/.ws-temp-YCSTSE-requirements.txt

Path to vulnerable library: /tmp/ws-ua_20231205110316_YZEJLS/cmd_GBLXLB/20231205111657/.ws-temp-YCSTSE-requirements.txt,/tmp/ws-ua_20240301164043_TMWBFH/cmd_RBNNCT/20240301164618/.ws-temp-WNWIOL-requirements.txt

Dependency Hierarchy:

• rtdip_sdk-0.10.1-py3-none-any.whl (Root Library)
  • ❌ Jinja2-3.1.2-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 33965cb8afaead2dba68b8c2ba100b9c291ed21e

Found in base branch: main

Vulnerability Details

Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS). The Jinja xmlattr filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based.

Publish Date: 2024-01-11

URL: CVE-2024-22195

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-h5c8-rqwp-cp95

Release Date: 2024-01-11

Fix Resolution: jinja2 - 3.1.3

Step up your Open Source Security Game with Mend here

CVE-2024-0243

Vulnerable Library - langchain-0.0.291-py3-none-any.whl

Building applications with LLMs through composability

Library home page: https://files.pythonhosted.org/packages/58/e7/b2e5e3b4255166183f83f470e12bc65fb6136d8e6c6b03494edfb3257ea1/langchain-0.0.291-py3-none-any.whl

Path to dependency file: /tmp/ws-ua_20240301164043_TMWBFH/cmd_RBNNCT/20240301164618/.ws-temp-WNWIOL-requirements.txt

Path to vulnerable library: /tmp/ws-ua_20240301164043_TMWBFH/cmd_RBNNCT/20240301164618/.ws-temp-WNWIOL-requirements.txt

Dependency Hierarchy:

• rtdip_sdk-0.10.1-py3-none-any.whl (Root Library)
  • ❌ langchain-0.0.291-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 33965cb8afaead2dba68b8c2ba100b9c291ed21e

Found in base branch: main

Vulnerability Details

With the following crawler configuration:

from bs4 import BeautifulSoup as Soup

url = "https://example.com"
loader = RecursiveUrlLoader(
    url=url, max_depth=2, extractor=lambda x: Soup(x, "html.parser").text
)
docs = loader.load()

An attacker in control of the contents of https://example.com could place a malicious HTML file in there with links like "https://example.completely.different/my_file.html" and the crawler would proceed to download that file as well even though prevent_outside=True.

https://github.com/langchain-ai/langchain/blob/bf0b3cc0b5ade1fb95a5b1b6fa260e99064c2e22/libs/community/langchain_community/document_loaders/recursive_url_loader.py#L51-L51

Resolved in langchain-ai/langchain#15559

Publish Date: 2024-02-26

URL: CVE-2024-0243

CVSS 3 Score Details (3.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2024-02-26

Fix Resolution (langchain): 0.1.0

Direct dependency fix Resolution (rtdip-sdk): 0.10.4

Step up your Open Source Security Game with Mend here

[mend-bolt-for-github]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.