Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Pandas Query Injection in langgenius/dify
Vulnerability Description
A vulnerability in the Dify Tools' Vanna module of the langgenius/dify repository allows for a Pandas Query Injection in the latest version. The vulnerability occurs in the function `vn.get_training_plan_generic(df_information_schema)`, which does not properly sanitize user inputs before executing queries using the Pandas library. This can potentially lead to Remote Code Execution (RCE) if exploited.
CVSS Information
N/A
Vulnerability Type
对生成代码的控制不恰当(代码注入)
Vulnerability Title
dify 安全漏洞
Vulnerability Description
dify是LangGenius开源的一个开源的 LLM 应用程序开发平台。 dify存在安全漏洞,该漏洞源于Dify Tools的Vanna模块容易受到Pandas查询注入攻击,可能导致远程代码执行。
CVSS Information
N/A
Vulnerability Type
N/A