Home > Vulnerability Database > CVE-2024-8309

Mend.io Vulnerability Database

CVE-2024-8309

Good to know:

Date: October 29, 2024

A vulnerability in the GraphCypherQAChain class of langchain-ai/langchain version 0.2.5 allows for SQL injection through prompt injection. This vulnerability can lead to unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database.

Language: Python

Severity Score

9.8

Related Resources (7)

Url: https://github.com/langchain-ai/langchain/commit/64c317eba05fbac0c6a6fc5aa192bc0d7130972e

Url: https://huntr.com/bounties/8f4ad910-7fdc-4089-8f0a-b5df5f32e7c5

Url: https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2024-115.yaml

Url: https://github.com/langchain-ai/langchain/commit/c2a3021bb0c5f54649d380b42a0684ca5778c255

Url: https://github.com/langchain-ai/langchain

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-8309

Url: https://www.mend.io/vulnerability-database/CVE-2024-8309

Severity Score

9.8

Weakness Type (CWE)

Injection

CWE-74

SQL Injection

CWE-89

Top Fix

Upgrade Version

Upgrade to version langchain-community - 0.3.0

Learn More

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-8309

Good to know:

Date: October 29, 2024

Language: Python

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?