Exploit
CVE-2024-8309

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)

Published: Oct 29, 2024 / Updated: 21d ago

010
CVSS 9.8EPSS 0.04%Critical
CVE info copied to clipboard

Summary

A vulnerability in the GraphCypherQAChain class of langchain-ai/langchain version 0.2.5 allows for SQL injection through prompt injection. This vulnerability can lead to unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues.

Impact

Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database. This can result in unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. The vulnerability has a CVSS v3.1 base score of 9.8 (Critical), with high impacts on confidentiality, integrity, and availability.

Exploitation

One proof-of-concept exploit is available on huntr.com. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The vulnerability has been addressed in versions newer than 0.2.5 of langchain-ai/langchain. A fix was committed to the GitHub repository on November 1, 2024.

Mitigation

Update langchain-ai/langchain to a version newer than 0.2.5 as soon as possible. In the meantime, implement additional input validation and sanitization for any user-provided inputs that interact with the GraphCypherQAChain class. Consider implementing least privilege access controls and regularly audit database operations. For multi-tenant environments, ensure proper isolation between tenants.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-8309

Oct 29, 2024 at 1:15 PM
First Article

Feedly found the first article mentioning CVE-2024-8309. See article

Oct 29, 2024 at 1:21 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 29, 2024 at 1:22 PM
Vendor Advisory

RedHat CVE advisory released a security advisory (CVE-2024-8309).

Oct 29, 2024 at 3:01 PM
CVSS

A CVSS base score of 4.9 has been assigned.

Oct 29, 2024 at 3:01 PM / redhat-cve-advisories
Vendor Advisory

GitHub Advisories released a security advisory.

Oct 29, 2024 at 3:32 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.9%)

Oct 30, 2024 at 10:18 AM
CVSS

A CVSS base score of 9.8 has been assigned.

Nov 1, 2024 at 7:20 PM / nvd
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Nov 1, 2024 at 9:10 PM
Static CVE Timeline Graph

Affected Systems

Langchain/langchain
+null more

Exploits

https://huntr.com/bounties/8f4ad910-7fdc-4089-8f0a-b5df5f32e7c5
+null more

Patches

Github Advisory
+null more

Links to Mitre Att&cks

T1562.003: Impair Command History Logging
+null more

Attack Patterns

CAPEC-108: Command Line Execution through SQL Injection
+null more

Vendor Advisory

[GHSA-45pg-36p6-83v9] Langchain-Community SQL Injection vulnerability
GitHub Security Advisory: GHSA-45pg-36p6-83v9 Release Date: 2024-10-29 Update Date: 2024-10-30 Severity: Low CVE-2024-8309 Package Information Package: langchain-community Affected Versions: Patched Versions: 0.3.0 Description A vulnerability in the GraphCypherQAChain class of langchain-ai/langchain version 0.2.5 allows for SQL injection through prompt injection. This vulnerability can lead to unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database.

News

CVE-2024-8309 Exploit
CVE Id : CVE-2024-8309 Published Date: 2024-11-01T19:19:00+00:00 A vulnerability in the GraphCypherQAChain class of langchain-ai/langchain version 0.2.5 allows for SQL injection through prompt injection. This vulnerability can lead to unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database. inTheWild added a link to an exploit: https://huntr.com/bounties/8f4ad910-7fdc-4089-8f0a-b5df5f32e7c5
Langchain SQL Injection vulnerability
A vulnerability in the GraphCypherQAChain class of langchain-ai/langchain version 0.2.5 allows for SQL injection through prompt injection. This vulnerability can lead to unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity …
[GHSA-45pg-36p6-83v9] Langchain-Community SQL Injection vulnerability
GitHub Security Advisory: GHSA-45pg-36p6-83v9 Release Date: 2024-10-29 Update Date: 2024-10-30 Severity: Low CVE-2024-8309 Package Information Package: langchain-community Affected Versions: Patched Versions: 0.3.0 Description A vulnerability in the GraphCypherQAChain class of langchain-ai/langchain version 0.2.5 allows for SQL injection through prompt injection. This vulnerability can lead to unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database.
CVE-2024-8309
This vulnerability can lead to unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Gravedad 3.1 (CVSS 3.1 Base Score)
CVE-2024-8309
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') No description is available for this CVE.
See 6 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI