Run-Llama Llama-Index SQL Injection Vulnerability in Vector Store Integrations

A SQL injection vulnerability has been identified in multiple vector store integrations of the Run-Llama Llama-Index library, specifically in version 0.12.21. This vulnerability allows attackers to read and write data through SQL commands, potentially leading to unauthorized access to other users' data, depending on how the Llama-Index library is utilized within a web application.

Impact

Exploitation of this vulnerability could allow an attacker to manipulate SQL queries, leading to unauthorized data access or modification within the affected vector store.

Reproduction

To reproduce this vulnerability, first set up the Couchbase vector store integration using the instructions provided in the Llama-Index documentation. After the integration is established, perform the SQL injection by calling the 'delete' method of the vector store and passing a crafted reference document ID that exploits the SQL query, such as '" OR '1'='1'". This injection will trigger the vulnerability by manipulating the SQL command to delete all data from the vector store.

Remediation

Users can update to Llama-Index version 0.12.28 or later, where this vulnerability has been fixed.