Description

Haystack is an end-to-end LLM framework that allows you to build applications powered by LLMs, Transformer models, vector search and more. Haystack clients that let their users create and run Pipelines from scratch are vulnerable to remote code executions. Certain Components in Haystack use Jinja2 templates, if anyone can create and render that template on the client machine they run any code. The vulnerability has been fixed with Haystack `2.3.1`.

INFO

Published Date :

2024-07-31T15:50:59.837Z

Last Modified :

2024-07-31T16:20:20.326Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-41950 vulnerability.

Vendors Products
Deepset
  • Haystack
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-41950.

URL Resource
https://github.com/deepset-ai/haystack/commit/3fed1366c448b02189851bf08166c1f6477a02b0 cve-icon cve-icon
https://github.com/deepset-ai/haystack/commit/6c25a5c73e83aa32c3241ba84a5cbb3ac0e8a89e cve-icon cve-icon
https://github.com/deepset-ai/haystack/pull/8095 cve-icon cve-icon
https://github.com/deepset-ai/haystack/pull/8096 cve-icon cve-icon
https://github.com/deepset-ai/haystack/releases/tag/v2.3.1 cve-icon cve-icon
https://github.com/deepset-ai/haystack/security/advisories/GHSA-hx9v-6r9f-w677 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact