Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Injection by Prompt Injection in stitionai/devika
Vulnerability Description
stitionai/devika main branch as of commit cdfb782b0e634b773b10963c8034dc9207ba1f9f is vulnerable to Local File Read (LFI) by Prompt Injection. The integration of Google Gimini 1.0 Pro with `HarmBlockThreshold.BLOCK_NONE` for `HarmCategory.HARM_CATEGORY_HATE_SPEECH` and `HarmCategory.HARM_CATEGORY_HARASSMENT` in `safety_settings` disables content protection. This allows malicious commands to be executed, such as reading sensitive file contents like `/etc/passwd`.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Vulnerability Type
输出中的特殊元素转义处理不恰当(注入)
Vulnerability Title
Devika 信息泄露漏洞
Vulnerability Description
Devika是stition开源的一个高级 AI 软件工程师。可以理解高级人类指令,将它们分解为步骤,研究相关信息,并编写代码以实现给定的目标。 Devika存在信息泄露漏洞,该漏洞源于容易受到提示注入的本地文件读取攻击,使得恶意命令可以执行,进而读取敏感文件内容。
CVSS Information
N/A
Vulnerability Type
N/A