A Python command injection vulnerability exists in the `SagemakerLLM` class's `complete()` method within `./private_gpt/components/llm/custom/sagemaker.py` of the imartinez/privategpt application, versions up to and including 0.3.0. The vulnerability arises due to the use of the `eval()` function to parse a string received from a remote AWS SageMaker LLM endpoint into a dictionary. This method of parsing is unsafe as it can execute arbitrary Python code contained within the response. An attacker can exploit this vulnerability by manipulating the response from the AWS SageMaker LLM endpoint to include malicious Python code, leading to potential execution of arbitrary commands on the system hosting the application. The issue is fixed in version 0.6.0.
                
            Metrics
Affected Vendors & Products
References
        History
                    Thu, 17 Jul 2025 01:45:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| First Time appeared | Pribai Pribai privategpt | |
| CPEs | cpe:2.3:a:pribai:privategpt:*:*:*:*:*:*:*:* | |
| Vendors & Products | Pribai Pribai privategpt | 
Mon, 18 Nov 2024 21:15:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| First Time appeared | Imartinez Imartinez imartinez Privategpt | |
| CPEs | cpe:2.3:a:imartinez:imartinez_privategpt:*:*:*:*:*:*:*:* | |
| Vendors & Products | Imartinez Imartinez imartinez Privategpt | |
| Metrics | cvssV3_1 
 
 | 
Thu, 14 Nov 2024 17:45:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Description | A Python command injection vulnerability exists in the `SagemakerLLM` class's `complete()` method within `./private_gpt/components/llm/custom/sagemaker.py` of the imartinez/privategpt application, versions up to and including 0.3.0. The vulnerability arises due to the use of the `eval()` function to parse a string received from a remote AWS SageMaker LLM endpoint into a dictionary. This method of parsing is unsafe as it can execute arbitrary Python code contained within the response. An attacker can exploit this vulnerability by manipulating the response from the AWS SageMaker LLM endpoint to include malicious Python code, leading to potential execution of arbitrary commands on the system hosting the application. The issue is fixed in version 0.6.0. | |
| Title | Python Command Injection in imartinez/privategpt | |
| Weaknesses | CWE-78 | |
| References |  | |
| Metrics | cvssV3_0 
 | 
 MITRE
                        MITRE
                    Status: PUBLISHED
Assigner: @huntr_ai
Published: 2024-11-14T17:32:38.867Z
Updated: 2024-11-18T20:29:54.739Z
Reserved: 2024-04-30T12:36:04.225Z
Link: CVE-2024-4343
 Vulnrichment
                        Vulnrichment
                    Updated: 2024-11-18T20:29:04.696Z
 NVD
                        NVD
                    Status : Analyzed
Published: 2024-11-14T18:15:19.687
Modified: 2025-07-17T01:33:59.290
Link: CVE-2024-4343
 Redhat
                        Redhat
                    No data.
 ReportizFlow
ReportizFlow