| عنوان | GAIR-NLP factool 0.0 Code Injection |
|---|
| الوصف |
Factool is a tool augmented framework for detecting factual errors of texts generated by LLM. The tool contains a vulnerability of type CWE - 94: Code Injection. In the provided Python code, the `python_executor` class poses a significant security risk. The `run_single` method directly employs the `exec()` function to execute the `program` parameter, which is presumably user - inputted code. Moreover, the same `program` is executed twice within this method. The `run` method also calls `run_single` with a `snippet` parameter without proper validation.
When an attacker supplies malicious Python code as input, the `exec()` function will execute it, enabling the attacker to access sensitive data, execute system commands, or modify system settings. This vulnerability can lead to unauthorized access, data leakage, and system compromise, posing a severe threat to the security and integrity of the software and its underlying infrastructure.
More details: https://github.com/GAIR-NLP/factool/issues/50 |
|---|
| المصدر | ⚠️ https://github.com/GAIR-NLP/factool/issues/50 |
|---|
| المستخدم | ybdesire (UID 83239) |
|---|
| ارسال | 21/04/2025 10:37 AM (1 سنة منذ) |
|---|
| الاعتدال | 04/05/2025 08:07 PM (13 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 307365 [GAIR-NLP factool حتى 3f3914bc090b644be044b7e0005113c135d8b20f tool.py run_single تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|