What is CVE-2023-44467?

CVE-2023-44467 is a vulnerability in langchain_experimental 0.0.14 that allows an attacker to bypass a previous fix and execute arbitrary code.

How does CVE-2023-44467 work?

CVE-2023-44467 works by exploiting the PALChain in the python exec method.

Is langchain_experimental 0.0.14 affected by this vulnerability?

Yes, langchain_experimental 0.0.14 is affected by CVE-2023-44467.

What is the severity of CVE-2023-44467?

The severity of CVE-2023-44467 is not specified in the provided information.

How can I fix CVE-2023-44467?

To fix CVE-2023-44467, update langchain_experimental to a version that includes the fix or apply the relevant patch provided by the vendor.

Vulnerability/
CVE-2023-44467

critical

9.8

9/10/2023

26/2/2024

CVE-2023-44467

First published: Mon Oct 09 2023(Updated: )

langchain_experimental (aka LangChain Experimental) in LangChain before 0.0.306 allows an attacker to bypass the CVE-2023-36258 fix and execute arbitrary code via __import__ in Python code, which is not prohibited by pal_chain/base.py.

Credit: cve@mitre.org cve@mitre.org cve@mitre.org

Affected Software	Affected Version	How to fix
Langchain Langchain Experimental	=0.0.14
pip/langchain-experimental	<=0.0.14
	=0.0.14

Remedy

https://github.com/langchain-ai/langchain/commit/4c97a10bd0d9385cfee234a63b5bd826a295e483

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2023-44467?
CVE-2023-44467 is a vulnerability in langchain_experimental 0.0.14 that allows an attacker to bypass a previous fix and execute arbitrary code.
How does CVE-2023-44467 work?
CVE-2023-44467 works by exploiting the PALChain in the python exec method.
Is langchain_experimental 0.0.14 affected by this vulnerability?
Yes, langchain_experimental 0.0.14 is affected by CVE-2023-44467.
What is the severity of CVE-2023-44467?
The severity of CVE-2023-44467 is not specified in the provided information.
How can I fix CVE-2023-44467?
To fix CVE-2023-44467, update langchain_experimental to a version that includes the fix or apply the relevant patch provided by the vendor.

collector/nvd-index
agent/type
collector/mitre-cve
source/MITRE
agent/severity
agent/remedy
agent/author
agent/description
agent/first-publish-date
collector/nvd-api
source/NVD
agent/software-canonical-lookup
agent/softwarecombine
agent/event
collector/github-advisory-latest
source/GitHub
alias/GHSA-gjjr-63x4-v8cq
alias/CVE-2023-44467
agent/references
agent/last-modified-date
collector/nvd-cve
agent/tags
collector/github-advisory
vendor/langchain
canonical/langchain langchain experimental
version/langchain langchain experimental/0.0.14
package-manager/pip

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.