CVE-2024-41950: Insecure Jinja2 templates rendered in Haystack Components can lead to RCE
Haystack clients that let their users create and run Pipelines from scratch are vulnerable to remote code executions.
Certain Components in Haystack use Jinja2 templates, if anyone can create and render that template on the client machine they run any code.
References
- github.com/advisories/GHSA-hx9v-6r9f-w677
- github.com/deepset-ai/haystack
- github.com/deepset-ai/haystack/commit/3fed1366c448b02189851bf08166c1f6477a02b0
- github.com/deepset-ai/haystack/commit/6c25a5c73e83aa32c3241ba84a5cbb3ac0e8a89e
- github.com/deepset-ai/haystack/pull/8095
- github.com/deepset-ai/haystack/pull/8096
- github.com/deepset-ai/haystack/releases/tag/v2.3.1
- github.com/deepset-ai/haystack/security/advisories/GHSA-hx9v-6r9f-w677
- nvd.nist.gov/vuln/detail/CVE-2024-41950
Detect and mitigate CVE-2024-41950 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →