pysec-2023-162
Vulnerability from pysec
Published
2023-09-01 16:15
Modified
2023-10-04 16:56
Severity ?
Details
An issue in LanChain-ai Langchain v.0.0.245 allows a remote attacker to execute arbitrary code via the evaluate function in the numexpr library.
Impacted products
| Name | purl |
|---|---|
| langchain | pkg:pypi/langchain |
Aliases
{ affected: [ { package: { ecosystem: "PyPI", name: "langchain", purl: "pkg:pypi/langchain", }, ranges: [ { events: [ { introduced: "0", }, { fixed: "0.0.308", }, ], type: "ECOSYSTEM", }, ], versions: [ "0.0.1", "0.0.10", "0.0.100", "0.0.101", "0.0.101rc0", "0.0.102", "0.0.102rc0", "0.0.103", "0.0.104", "0.0.105", "0.0.106", "0.0.107", "0.0.108", "0.0.109", "0.0.11", "0.0.110", "0.0.111", "0.0.112", "0.0.113", "0.0.114", "0.0.115", "0.0.116", "0.0.117", "0.0.118", "0.0.119", "0.0.12", "0.0.120", "0.0.121", "0.0.122", "0.0.123", "0.0.124", "0.0.125", "0.0.126", "0.0.127", "0.0.128", "0.0.129", "0.0.13", "0.0.130", "0.0.131", "0.0.132", "0.0.133", "0.0.134", "0.0.135", "0.0.136", "0.0.137", "0.0.138", "0.0.139", "0.0.14", "0.0.140", "0.0.141", "0.0.142", "0.0.143", "0.0.144", "0.0.145", "0.0.146", "0.0.147", "0.0.148", "0.0.149", "0.0.15", "0.0.150", "0.0.151", "0.0.152", "0.0.153", "0.0.154", "0.0.155", "0.0.156", "0.0.157", "0.0.158", "0.0.159", "0.0.16", "0.0.160", "0.0.161", "0.0.162", "0.0.163", "0.0.164", "0.0.165", "0.0.166", "0.0.167", "0.0.168", "0.0.169", "0.0.17", "0.0.170", "0.0.171", "0.0.172", "0.0.173", "0.0.174", "0.0.175", "0.0.176", "0.0.177", "0.0.178", "0.0.179", "0.0.18", "0.0.180", "0.0.181", "0.0.182", "0.0.183", "0.0.184", "0.0.185", "0.0.186", "0.0.187", "0.0.188", "0.0.189", "0.0.19", "0.0.190", "0.0.191", "0.0.192", "0.0.193", "0.0.194", "0.0.195", "0.0.196", "0.0.197", "0.0.198", "0.0.199", "0.0.2", "0.0.20", "0.0.200", "0.0.201", "0.0.202", "0.0.203", "0.0.204", "0.0.205", "0.0.206", "0.0.207", "0.0.208", "0.0.209", "0.0.21", "0.0.210", "0.0.211", "0.0.212", "0.0.213", "0.0.214", "0.0.215", "0.0.216", "0.0.217", "0.0.218", "0.0.219", "0.0.22", "0.0.220", "0.0.221", "0.0.222", "0.0.223", "0.0.224", "0.0.225", "0.0.226", "0.0.227", "0.0.228", "0.0.229", "0.0.23", "0.0.230", "0.0.231", "0.0.232", "0.0.233", "0.0.234", "0.0.235", "0.0.236", "0.0.237", "0.0.238", "0.0.239", "0.0.24", "0.0.240", "0.0.240rc0", "0.0.240rc1", "0.0.240rc4", "0.0.242", "0.0.243", "0.0.244", "0.0.245", "0.0.246", "0.0.247", "0.0.248", "0.0.249", "0.0.25", "0.0.250", "0.0.251", "0.0.252", "0.0.253", "0.0.254", "0.0.255", "0.0.256", "0.0.257", "0.0.258", "0.0.259", "0.0.26", "0.0.260", "0.0.261", "0.0.262", "0.0.263", "0.0.264", "0.0.265", "0.0.266", "0.0.267", "0.0.268", "0.0.269", "0.0.27", "0.0.270", "0.0.271", "0.0.272", "0.0.273", "0.0.274", "0.0.275", "0.0.276", "0.0.277", "0.0.278", "0.0.279", "0.0.28", "0.0.281", "0.0.29", "0.0.3", "0.0.30", "0.0.31", "0.0.32", "0.0.33", "0.0.34", "0.0.35", "0.0.36", "0.0.37", "0.0.38", "0.0.39", "0.0.4", "0.0.40", "0.0.41", "0.0.42", "0.0.43", "0.0.44", "0.0.45", "0.0.46", "0.0.47", "0.0.48", "0.0.49", "0.0.5", "0.0.50", "0.0.51", "0.0.52", "0.0.53", "0.0.54", "0.0.55", "0.0.56", "0.0.57", "0.0.58", "0.0.59", "0.0.6", "0.0.60", "0.0.61", "0.0.63", "0.0.64", "0.0.65", "0.0.66", "0.0.67", "0.0.68", "0.0.69", "0.0.7", "0.0.70", "0.0.71", "0.0.72", "0.0.73", "0.0.74", "0.0.75", "0.0.76", "0.0.77", "0.0.78", "0.0.79", "0.0.8", "0.0.80", "0.0.81", "0.0.82", "0.0.83", "0.0.84", "0.0.85", "0.0.86", "0.0.87", "0.0.88", "0.0.89", "0.0.9", "0.0.90", "0.0.91", "0.0.92", "0.0.93", "0.0.94", "0.0.95", "0.0.96", "0.0.97", "0.0.98", "0.0.99", "0.0.99rc0", "0.0.283", "0.0.284", "0.0.285", "0.0.286", "0.0.287", "0.0.288", "0.0.289", "0.0.290", "0.0.291", "0.0.292", "0.0.293", "0.0.294", "0.0.295", "0.0.296", "0.0.297", "0.0.298", "0.0.299", "0.0.300", "0.0.301", "0.0.302", "0.0.303", "0.0.304", "0.0.305", "0.0.306", "0.0.307", ], }, ], aliases: [ "CVE-2023-39631", ], details: "An issue in LanChain-ai Langchain v.0.0.245 allows a remote attacker to execute arbitrary code via the evaluate function in the numexpr library.", id: "PYSEC-2023-162", modified: "2023-10-04T16:56:57.465474Z", published: "2023-09-01T16:15:00Z", references: [ { type: "EVIDENCE", url: "https://github.com/pydata/numexpr/issues/442", }, { type: "REPORT", url: "https://github.com/pydata/numexpr/issues/442", }, { type: "FIX", url: "https://github.com/pydata/numexpr/issues/442", }, { type: "EVIDENCE", url: "https://github.com/langchain-ai/langchain/issues/8363", }, { type: "REPORT", url: "https://github.com/langchain-ai/langchain/issues/8363", }, { type: "FIX", url: "https://github.com/langchain-ai/langchain/pull/11302", }, ], severity: [ { score: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", type: "CVSS_V3", }, ], }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.