Multiple vector store integrations in run-llama/llama_index version v0.12.21 have SQL injection vulnerabilities. These vulnerabilities allow an attacker to read and write data using SQL, potentially leading to unauthorized access to data of other users depending on the usage of the llama-index library in a web application.
The vulnerability results from the lack of proper sanitization of input data passed to SQL queries in LlamaIndex library vector store integrations. An attacker can inject malicious SQL code into parameters processed by the library, resulting in the execution of unintended database operations. The attack vector is network-based, does not require authentication or user interaction, and its exploitation is relatively simple (low attack complexity).
An attacker can gain unauthorized access to data of other users of a web application using the LlamaIndex library, as well as modify stored data — leading to violations of data confidentiality and integrity.
Patches available from the vendor should be applied according to the references. The fix was introduced in commit 0008041e8dde8e519621388e5d6f558bde6ef42e available in the GitHub repository of the run-llama/llama_index project.
LlamaIndex (run-llama/llama_index) version v0.12.21 — affects web applications using vector store integrations of this library.
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HLlamaindex
APPLlamaindex0.12.21 – 0.12.28 (bez)
Related vulnerabilities
SQL Injection w DuckDBVectorStore umożliwiający RCE (LlamaIndex)
SQL Injection i RCE w FinanceChatLlamaPack biblioteki LlamaIndex
SQL Injection umożliwiający RCE w komponencie duckdb_retriever biblioteki LlamaIndex
Command injection w LlamaIndex — obejście safe_eval umożliwia RCE
SQL injection w LlamaIndex przez funkcję Text-to-SQL