Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-41950

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-31 Jul, 2024 | 15:50
Updated At-31 Jul, 2024 | 16:20
Rejected At-
Credits

Insecure Jinja2 templates rendered in Haystack Components can lead to RCE

Haystack is an end-to-end LLM framework that allows you to build applications powered by LLMs, Transformer models, vector search and more. Haystack clients that let their users create and run Pipelines from scratch are vulnerable to remote code executions. Certain Components in Haystack use Jinja2 templates, if anyone can create and render that template on the client machine they run any code. The vulnerability has been fixed with Haystack `2.3.1`.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:31 Jul, 2024 | 15:50
Updated At:31 Jul, 2024 | 16:20
Rejected At:
▼CVE Numbering Authority (CNA)
Insecure Jinja2 templates rendered in Haystack Components can lead to RCE

Haystack is an end-to-end LLM framework that allows you to build applications powered by LLMs, Transformer models, vector search and more. Haystack clients that let their users create and run Pipelines from scratch are vulnerable to remote code executions. Certain Components in Haystack use Jinja2 templates, if anyone can create and render that template on the client machine they run any code. The vulnerability has been fixed with Haystack `2.3.1`.

Affected Products
Vendor
deepset-ai
Product
haystack
Versions
Affected
  • < 2.3.1
Problem Types
TypeCWE IDDescription
CWECWE-1336CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine
Type: CWE
CWE ID: CWE-1336
Description: CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine
Metrics
VersionBase scoreBase severityVector
3.17.5HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/deepset-ai/haystack/security/advisories/GHSA-hx9v-6r9f-w677
x_refsource_CONFIRM
https://github.com/deepset-ai/haystack/pull/8095
x_refsource_MISC
https://github.com/deepset-ai/haystack/pull/8096
x_refsource_MISC
https://github.com/deepset-ai/haystack/commit/3fed1366c448b02189851bf08166c1f6477a02b0
x_refsource_MISC
https://github.com/deepset-ai/haystack/commit/6c25a5c73e83aa32c3241ba84a5cbb3ac0e8a89e
x_refsource_MISC
https://github.com/deepset-ai/haystack/releases/tag/v2.3.1
x_refsource_MISC
Hyperlink: https://github.com/deepset-ai/haystack/security/advisories/GHSA-hx9v-6r9f-w677
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/deepset-ai/haystack/pull/8095
Resource:
x_refsource_MISC
Hyperlink: https://github.com/deepset-ai/haystack/pull/8096
Resource:
x_refsource_MISC
Hyperlink: https://github.com/deepset-ai/haystack/commit/3fed1366c448b02189851bf08166c1f6477a02b0
Resource:
x_refsource_MISC
Hyperlink: https://github.com/deepset-ai/haystack/commit/6c25a5c73e83aa32c3241ba84a5cbb3ac0e8a89e
Resource:
x_refsource_MISC
Hyperlink: https://github.com/deepset-ai/haystack/releases/tag/v2.3.1
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Vendor
deepset
Product
haystack
CPEs
  • cpe:2.3:a:deepset:haystack:*:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • From 0 before 2.3.1 (custom)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:31 Jul, 2024 | 16:15
Updated At:31 Jul, 2024 | 16:15

Haystack is an end-to-end LLM framework that allows you to build applications powered by LLMs, Transformer models, vector search and more. Haystack clients that let their users create and run Pipelines from scratch are vulnerable to remote code executions. Certain Components in Haystack use Jinja2 templates, if anyone can create and render that template on the client machine they run any code. The vulnerability has been fixed with Haystack `2.3.1`.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.17.5HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-1336Secondarysecurity-advisories@github.com
CWE ID: CWE-1336
Type: Secondary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/deepset-ai/haystack/commit/3fed1366c448b02189851bf08166c1f6477a02b0security-advisories@github.com
N/A
https://github.com/deepset-ai/haystack/commit/6c25a5c73e83aa32c3241ba84a5cbb3ac0e8a89esecurity-advisories@github.com
N/A
https://github.com/deepset-ai/haystack/pull/8095security-advisories@github.com
N/A
https://github.com/deepset-ai/haystack/pull/8096security-advisories@github.com
N/A
https://github.com/deepset-ai/haystack/releases/tag/v2.3.1security-advisories@github.com
N/A
https://github.com/deepset-ai/haystack/security/advisories/GHSA-hx9v-6r9f-w677security-advisories@github.com
N/A
Hyperlink: https://github.com/deepset-ai/haystack/commit/3fed1366c448b02189851bf08166c1f6477a02b0
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/deepset-ai/haystack/commit/6c25a5c73e83aa32c3241ba84a5cbb3ac0e8a89e
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/deepset-ai/haystack/pull/8095
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/deepset-ai/haystack/pull/8096
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/deepset-ai/haystack/releases/tag/v2.3.1
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/deepset-ai/haystack/security/advisories/GHSA-hx9v-6r9f-w677
Source: security-advisories@github.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

1Records found
CVE-2024-32406
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-4.02% / 88.29%
||
7 Day CHG~0.00%
Published-26 Apr, 2024 | 00:00
Updated-17 Dec, 2025 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Server-Side Template Injection (SSTI) vulnerability in inducer relate before v.2024.1 allows a remote attacker to execute arbitrary code via a crafted payload to the Batch-Issue Exam Tickets function.

Action-Not Available
Vendor-inducern/aInducer
Product-relaten/aRelate
CWE ID-CWE-1336
Improper Neutralization of Special Elements Used in a Template Engine
Details not found