CVE-2024-41950

HIGH Year: 2024
CVSS v3 Score
7.5
High
Weakness Type
CWE-1336
View all →

Vulnerability Description

Haystack is an end-to-end LLM framework that allows you to build applications powered by LLMs, Transformer models, vector search and more. Haystack clients that let their users create and run Pipelines from scratch are vulnerable to remote code executions. Certain Components in Haystack use Jinja2 templates, if anyone can create and render that template on the client machine they run any code. The vulnerability has been fixed with Haystack `2.3.1`.

Related Vulnerabilities

CVE-2022-25813

HIGH
CVSS:7.5(High)

In Apache OFBiz, versions 18.12.05 and earlier, an attacker acting as an anonymous user of the ecommerce plugin, can insert a malicious content in a message “Subject” field from the "Contact us" page....

CWE-13362022

CVE-2021-39128

HIGH
CVSS:7.2(High)

Affected versions of Atlassian Jira Server or Data Center using the Jira Service Management addon allow remote attackers with JIRA Administrators access to execute arbitrary Java code via a server-sid...

CWE-13362021

CVE-2022-47896

HIGH
CVSS:7.8(High)

In JetBrains IntelliJ IDEA before 2022.3.1 code Templates were vulnerable to SSTI attacks.

CWE-13362022

CVE-2023-29297

HIGH
CVSS:7.2(High)

Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by a Improper Neutralization of Special Elements Used in a Template Engine vulnerability tha...

CWE-13362023

CVE-2023-46245

HIGH
CVSS:7.2(High)

Kimai is a web-based multi-user time-tracking application. Versions prior to 2.1.0 are vulnerable to a Server-Side Template Injection (SSTI) which can be escalated to Remote Code Execution (RCE). The ...

CWE-13362023

CVE-2023-5764

HIGH
CVSS:7.8(High)

A template injection flaw was found in Ansible where a user's controller internal templating operations may remove the unsafe designation from template data. This issue could allow an attacker to use ...

CWE-13362023