CVE-2024-45201: 
Python vulnerability analysis and mitigation

An issue was discovered in llamaindex before version 0.10.38. The vulnerability exists in download/integration.py where an exec call for import {clsname} introduces a potential code injection risk. The vulnerability was disclosed on August 22, 2024, and affects all versions of llama_index prior to 0.10.38 (NVD).

The vulnerability is classified as a Code Injection vulnerability (CWE-94). The CVSS v3.1 base score is 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue stems from an unsafe exec call in the download/integration.py file that could allow for arbitrary code execution through the cls_name parameter (NVD).

The vulnerability could allow an attacker with low privileges to execute arbitrary code on the affected system, potentially leading to complete system compromise. The high CVSS score indicates severe potential impacts on confidentiality, integrity, and availability of the system (NVD).

The vulnerability has been fixed in llamaindex version 0.10.38. Users are strongly advised to upgrade to this version or later. The fix involved removing the exec call from the downloadintegration functionality (Github PR).