Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-36189: Mitigate issue #5923 (Prompt injection -> SQL injection in SQLChain) by boazwasserman · Pull Request #6051 · hwchase17/langchain

SQL injection vulnerability in langchain v.0.0.64 allows a remote attacker to obtain sensitive information via the SQLDatabaseChain component.

CVE
Open in Source
#sql#vulnerability#git

Add validation controls to the SQL chain to mitigate SQL injection issues.
Using sqlfluff to perform static analysis:

  1. Disallow non select statement (INSERT, DROP)
  2. Disallow wildcard select statement

Some dialects that are supported by langchain are not supported by sqlfluff. It is possible to disallow usage of such dialects as well.

Also fixed the SQL integration tests which were not working as expected

Fixes #5923

BTW, looks like there is a huge diff on poetry.lock which doesn’t look OK to me, would appreciate any advice on how to resovle it (I was following the instructions found here https://github.com/hwchase17/langchain/blob/master/.github/CONTRIBUTING.md)

Who can review?

@hwchase17

Related news

GHSA-7q94-qpjr-xpgm: langchain SQL Injection vulnerability

SQL injection vulnerability in langchain allows a remote attacker to obtain sensitive information via the SQLDatabaseChain component.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE