漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
LlamaIndex <= 0.12.2 VannaQueryEngine SQL Execution Allows Resource Exhaustion
Vulnerability Description
LlamaIndex (run-llama/llama_index) versions up to and including 0.12.2 contain an uncontrolled resource consumption vulnerability in the VannaPack VannaQueryEngine implementation. The custom_query() logic generates SQL statements from a user-supplied prompt and executes them via vn.run_sql() without enforcing query execution limits In downstream deployments where untrusted users can supply prompts, an attacker can trigger expensive or unbounded SQL operations that exhaust CPU or memory resources, resulting in a denial-of-service condition. The vulnerable execution path occurs in llama_index/packs/vanna/base.py within custom_query().
CVSS Information
N/A
Vulnerability Type
不加限制或调节的资源分配
Vulnerability Title
LlamaIndex 安全漏洞
Vulnerability Description
LlamaIndex是LlamaIndex开源的一个 LLM 应用程序的数据框架。 LlamaIndex 0.12.2及之前版本存在安全漏洞,该漏洞源于VannaPack VannaQueryEngine实现中未强制执行查询执行限制,可能导致资源消耗型拒绝服务攻击。
CVSS Information
N/A
Vulnerability Type
N/A