| Titel | GAIR-NLP factool 0.0 Code Injection |
|---|
| Beschreibung |
Factool is a tool augmented framework for detecting factual errors of texts generated by LLM. The tool contains a vulnerability of type CWE - 94: Code Injection. In the provided Python code, the `python_executor` class poses a significant security risk. The `run_single` method directly employs the `exec()` function to execute the `program` parameter, which is presumably user - inputted code. Moreover, the same `program` is executed twice within this method. The `run` method also calls `run_single` with a `snippet` parameter without proper validation.
When an attacker supplies malicious Python code as input, the `exec()` function will execute it, enabling the attacker to access sensitive data, execute system commands, or modify system settings. This vulnerability can lead to unauthorized access, data leakage, and system compromise, posing a severe threat to the security and integrity of the software and its underlying infrastructure.
More details: https://github.com/GAIR-NLP/factool/issues/50 |
|---|
| Quelle | ⚠️ https://github.com/GAIR-NLP/factool/issues/50 |
|---|
| Benutzer | ybdesire (UID 83239) |
|---|
| Einreichung | 21.04.2025 10:37 (vor 1 Jahr) |
|---|
| Moderieren | 04.05.2025 20:07 (13 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 307365 [GAIR-NLP factool bis 3f3914bc090b644be044b7e0005113c135d8b20f tool.py run_single erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|