Executive Summary

Informations
Name CVE-2024-0243 First vendor Publication 2024-02-26
Vendor Cve Last vendor Modification 2024-03-13

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score N/A Attack Range N/A
Cvss Impact Score N/A Attack Complexity N/A
Cvss Expoit Score N/A Authentication N/A
Calculate full CVSS 2.0 Vectors scores

Detail

With the following crawler configuration:

```python from bs4 import BeautifulSoup as Soup

url = "https://example.com" loader = RecursiveUrlLoader(
url=url, max_depth=2, extractor=lambda x: Soup(x, "html.parser").text ) docs = loader.load() ```

An attacker in control of the contents of `https://example.com` could place a malicious HTML file in there with links like "https://example.completely.different/my_file.html" and the crawler would proceed to download that file as well even though `prevent_outside=True`.

https://github.com/langchain-ai/langchain/blob/bf0b3cc0b5ade1fb95a5b1b6fa260e99064c2e22/libs/community/langchain_community/document_loaders/recursive_url_loader.py#L51-L51

Resolved in https://github.com/langchain-ai/langchain/pull/15559

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0243

Sources (Detail)

https://github.com/langchain-ai/langchain/commit/bf0b3cc0b5ade1fb95a5b1b6fa26...
https://github.com/langchain-ai/langchain/pull/15559
https://huntr.com/bounties/370904e7-10ac-40a4-a8d4-e2d16e1ca861
Source Url

Alert History

If you want to see full details history, please login or register.
0
1
Date Informations
2024-03-14 00:27:24
  • Multiple Updates
2024-02-26 21:27:26
  • First insertion