CVE-2023-34540

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-34540
Langchain before v0.0.225 was discovered to contain a remote code execution (RCE) vulnerability in the component JiraAPIWrapper (aka the JIRA API wrapper). This vulnerability allows attackers to execute arbitrary code via crafted input. As noted in the "releases/tag" reference, a fix is available.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/hwchase17/langchain/issues/4833 Exploit Issue Tracking
https://github.com/langchain-ai/langchain/pull/6992
https://github.com/langchain-ai/langchain/releases/tag/v0.0.225
Configurations

Configuration 1 (hide)

cpe:2.3:a:langchain:langchain:0.0.171:*:*:*:*:*:*:*
History

13 Mar 2024, 22:15

Type Values Removed Values Added
Summary (en) Langchain before v0.0.225 was discovered to contain a remote code execution (RCE) vulnerability in the component JiraAPIWrapper(). This vulnerability allows attackers to execute arbitrary code via providing crafted input. (en) Langchain before v0.0.225 was discovered to contain a remote code execution (RCE) vulnerability in the component JiraAPIWrapper (aka the JIRA API wrapper). This vulnerability allows attackers to execute arbitrary code via crafted input. As noted in the "releases/tag" reference, a fix is available.

07 Mar 2024, 20:15

Type Values Removed Values Added
Summary (en) An issue discovered in Langchain before 0.0.225 allows attacker to run arbitrary code via jira.run('other' substring. (en) Langchain before v0.0.225 was discovered to contain a remote code execution (RCE) vulnerability in the component JiraAPIWrapper(). This vulnerability allows attackers to execute arbitrary code via providing crafted input.

06 Dec 2023, 21:15

Type Values Removed Values Added
Summary Langchain 0.0.171 is vulnerable to Arbitrary Code Execution. This is related to the jira.run('other' substring. An issue discovered in Langchain before 0.0.225 allows attacker to run arbitrary code via jira.run('other' substring.
References
  • () https://github.com/langchain-ai/langchain/pull/6992 -
  • () https://github.com/langchain-ai/langchain/releases/tag/v0.0.225 -

17 Nov 2023, 19:15

Type Values Removed Values Added
Summary Langchain 0.0.171 is vulnerable to Arbitrary Code Execution. Langchain 0.0.171 is vulnerable to Arbitrary Code Execution. This is related to the jira.run('other' substring.

29 Aug 2023, 18:57

Type Values Removed Values Added
CPE cpe:2.3:a:langchain_project:langchain:0.0.171:*:*:*:*:*:*:* cpe:2.3:a:langchain:langchain:0.0.171:*:*:*:*:*:*:*
First Time Langchain
Langchain langchain

23 Jun 2023, 13:55

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.8
CWE NVD-CWE-noinfo
References (MISC) https://github.com/hwchase17/langchain/issues/4833 - (MISC) https://github.com/hwchase17/langchain/issues/4833 - Exploit, Issue Tracking
CPE cpe:2.3:a:langchain_project:langchain:0.0.171:*:*:*:*:*:*:*
First Time Langchain Project
Langchain Project langchain

14 Jun 2023, 15:30

Type Values Removed Values Added
New CVE
Information

Published : 2023-06-14 15:15

Updated : 2024-03-13 22:15

NVD link : CVE-2023-34540

Mitre link : CVE-2023-34540

CVE.ORG link : CVE-2023-34540

JSON object : View

Products Affected

langchain

  • langchain
CWE
NVD-CWE-noinfo