Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
WeKnora: Remote Code Execution via SQL Injection Bypass in AI Database Query Tool
Vulnerability Description
WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.12, a remote code execution (RCE) vulnerability exists in the application's database query functionality. The validation system fails to recursively inspect child nodes within PostgreSQL array expressions and row expressions, allowing attackers to bypass SQL injection protections. By smuggling dangerous PostgreSQL functions inside these expressions and chaining them with large object operations and library loading capabilities, an unauthenticated attacker can achieve arbitrary code execution on the database server with database user privileges. This issue has been patched in version 0.2.12.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Vulnerability Type
SQL命令中使用的特殊元素转义处理不恰当(SQL注入)
Vulnerability Title
WeKnora SQL注入漏洞
Vulnerability Description
WeKnora是Tencent开源的一个基于LLM的框架,具有使用RAG范式进行深度文档理解、语义检索和上下文感知答案等功能。 WeKnora 0.2.12之前版本存在SQL注入漏洞,该漏洞源于数据库查询功能存在远程代码执行,可能导致在数据库服务器上执行任意代码。
CVSS Information
N/A
Vulnerability Type
N/A