What is the severity of CVE-2024-23751?

CVE-2024-23751 is a high severity vulnerability due to its potential for SQL injection, which can lead to unauthorized data manipulation.

How do I fix CVE-2024-23751?

To fix CVE-2024-23751, upgrade to LlamaIndex version 0.9.35 or later, as this version includes necessary security patches.

What are the affected components in CVE-2024-23751?

CVE-2024-23751 affects multiple components including NLSQLTableQueryEngine, SQLTableRetrieverQueryEngine, and PGVectorSQLQueryEngine.

What types of attacks can be performed due to CVE-2024-23751?

An attacker can exploit CVE-2024-23751 to execute SQL injection attacks that may allow them to manipulate or delete data.

Which versions of LlamaIndex are vulnerable to CVE-2024-23751?

Versions of LlamaIndex up to and including 0.9.34 are vulnerable to CVE-2024-23751.

Vulnerability/
CVE-2024-23751

critical

9.8

CWE

EPSS

0.076%

22/1/2024

1/8/2024

CVE-2024-23751: SQL Injection

First published: Mon Jan 22 2024(Updated: )

LlamaIndex (aka llama_index) through 0.9.34 allows SQL injection via the Text-to-SQL feature in NLSQLTableQueryEngine, SQLTableRetrieverQueryEngine, NLSQLRetriever, RetrieverQueryEngine, and PGVectorSQLQueryEngine. For example, an attacker might be able to delete this year's student records via "Drop the Students table" within English language input.

Credit: cve@mitre.org cve@mitre.org

Affected Software	Affected Version	How to fix
pip/llama-index	<=0.9.35
Llamaindex	<=0.9.34

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2024-23751?
CVE-2024-23751 is a high severity vulnerability due to its potential for SQL injection, which can lead to unauthorized data manipulation.
How do I fix CVE-2024-23751?
To fix CVE-2024-23751, upgrade to LlamaIndex version 0.9.35 or later, as this version includes necessary security patches.
What are the affected components in CVE-2024-23751?
CVE-2024-23751 affects multiple components including NLSQLTableQueryEngine, SQLTableRetrieverQueryEngine, and PGVectorSQLQueryEngine.
What types of attacks can be performed due to CVE-2024-23751?
An attacker can exploit CVE-2024-23751 to execute SQL injection attacks that may allow them to manipulate or delete data.
Which versions of LlamaIndex are vulnerable to CVE-2024-23751?
Versions of LlamaIndex up to and including 0.9.34 are vulnerable to CVE-2024-23751.

agent/first-publish-date
agent/type
agent/references
agent/description
agent/author
agent/softwarecombine
collector/github-advisory-latest
source/GitHub
alias/GHSA-2jxw-4hm4-6w87
alias/CVE-2024-23751
agent/software-canonical-lookup
agent/severity
agent/event
collector/github-advisory
collector/epss-latest
source/FIRST
agent/epss
collector/mitre-cve
source/MITRE
agent/weakness
agent/last-modified-date
agent/trending
agent/source
agent/tags
collector/nvd-api
source/NVD
agent/software-canonical-lookup-request
collector/nvd-cve
package-manager/pip
vendor/llamaindex
canonical/llamaindex
version/llamaindex/0.9.34

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.