Summaryinfo

A vulnerability was found in LangChain 0.0.64 and classified as critical. Impacted is an unknown function of the component SQLDatabaseChain. Such manipulation leads to sql injection. This vulnerability is documented as CVE-2023-36189. The attack can be executed remotely. There is not any exploit available. Applying a patch is advised to resolve this issue.

Detailsinfo

A vulnerability was found in LangChain 0.0.64. It has been rated as critical. Affected by this issue is an unknown code of the component SQLDatabaseChain. The manipulation with an unknown input leads to a sql injection vulnerability. Using CWE to declare the problem leads to CWE-89. The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Impacted is confidentiality, integrity, and availability. CVE summarizes:

SQL injection vulnerability in langchain v.0.0.64 allows a remote attacker to obtain sensitive information via the SQLDatabaseChain component.

The weakness was released 07/06/2023 as 5923. The advisory is shared for download at github.com. This vulnerability is handled as CVE-2023-36189 since 06/21/2023. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1505.

Applying a patch is able to eliminate this problem. The bugfix is ready for download at github.com.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Productinfo

Name

• LangChain

Version

• 0.0.64

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion