SQL Injection Affecting llama-index package, versions [0,]


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.08% (33rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-LLAMAINDEX-6184684
  • published 26 Jan 2024
  • disclosed 22 Jan 2024
  • credit fubuki8087

How to fix?

There is no fixed version for llama-index.

Overview

llama-index is an Interface between LLMs and your data

Affected versions of this package are vulnerable to SQL Injection via the Text-to-SQL feature in NLSQLTableQueryEngine, SQLTableRetrieverQueryEngine, NLSQLRetriever, RetrieverQueryEngine and PGVectorSQLQueryEngine. An attacker can manipulate or corrupt database contents by injecting SQL commands into the English language input.

References

CVSS Scores

version 3.1
Expand this section

Snyk

8.6 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    Low
  • Integrity (I)
    High
  • Availability (A)
    Low
Expand this section

NVD

9.8 critical