| タイトル | GAIR-NLP factool 0.0 Code Injection |
|---|
| 説明 |
Factool is a tool augmented framework for detecting factual errors of texts generated by LLM. The tool contains a vulnerability of type CWE - 94: Code Injection. In the provided Python code, the `python_executor` class poses a significant security risk. The `run_single` method directly employs the `exec()` function to execute the `program` parameter, which is presumably user - inputted code. Moreover, the same `program` is executed twice within this method. The `run` method also calls `run_single` with a `snippet` parameter without proper validation.
When an attacker supplies malicious Python code as input, the `exec()` function will execute it, enabling the attacker to access sensitive data, execute system commands, or modify system settings. This vulnerability can lead to unauthorized access, data leakage, and system compromise, posing a severe threat to the security and integrity of the software and its underlying infrastructure.
More details: https://github.com/GAIR-NLP/factool/issues/50 |
|---|
| ソース | ⚠️ https://github.com/GAIR-NLP/factool/issues/50 |
|---|
| ユーザー | ybdesire (UID 83239) |
|---|
| 送信 | 2025年04月21日 10:37 (1 年 ago) |
|---|
| モデレーション | 2025年05月04日 20:07 (13 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 307365 [GAIR-NLP factool 迄 3f3914bc090b644be044b7e0005113c135d8b20f tool.py run_single 特権昇格] |
|---|
| ポイント | 20 |
|---|