llama-index-vector-stores-duckdb@0.2.0 vulnerabilities

llama-index vector_stores duckdb integration

latest version

0.4.6

latest non vulnerable version

0.4.6

first published

1 years ago

latest version published

3 days ago

licenses detected

MIT
[0,)

View llama-index-vector-stores-duckdb package health on Snyk Advisor (opens in a new tab)

Go back to all versions of this package

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the llama-index-vector-stores-duckdb package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
C SQL Injection llama-index-vector-stores-duckdb is a llama-index vector_stores duckdb integration Affected versions of this package are vulnerable to SQL Injection through the `DuckDBVectorStore` class. An attacker can manipulate the `ref_doc_id` parameter, enabling them to read and write arbitrary files on the server, potentially leading to unauthorized data access and system control by injecting malicious SQL commands. How to fix SQL Injection? Upgrade `llama-index-vector-stores-duckdb` to version 0.3.1 or higher.	[,0.3.1)

SQL Injection

llama-index-vector-stores-duckdb is a llama-index vector_stores duckdb integration

Affected versions of this package are vulnerable to SQL Injection through the DuckDBVectorStore class. An attacker can manipulate the ref_doc_id parameter, enabling them to read and write arbitrary files on the server, potentially leading to unauthorized data access and system control by injecting malicious SQL commands.

How to fix SQL Injection?

Upgrade llama-index-vector-stores-duckdb to version 0.3.1 or higher.

[,0.3.1)

Go back to all versions of this package