| 海外TECH |
DEV Community |
LangChain Arbitrary Command Execution - CVE-2023-34541 |
https://dev.to/tutorialboy/langchain-arbitrary-command-execution-cve-2023-34541-38kf
|
LangChain Arbitrary Command Execution CVE Vulnerability IntroductionLangChain is a framework for developing applications driven by language models In the affected version of LangChain because the load prompt function does not perform security filtering on the loaded content when loading the prompt file an attacker can induce users to load the file by constructing a prompt file containing malicious commands which can cause arbitrary system commands to be executed Vulnerability RecurrenceWrite under project test pyfrom langchain prompts import load prompt if name main loaded prompt load prompt system py system py Write and execute system commands in the same directory dirimport os os system dir Run test py returns dir the result of executing a system command Vulnerability Analysis load prompt from filelangchain prompts loading load prompttry load from hub is trying to remotely load a file from a given path but because we are loading a local file the next step is to jump to loadprompt from filelangchain prompts loading load prompt from fileAccording to loadprompt from file to the suffix of the file when the suffix is py the file will be read and used exec to executeThat is to say the code can be abbreviated asif name main file path system py with open file path rb as f exec f read Vulnerability Analysis try load from hubBecause of the network there has been no way to reproduce the success here is a detailed analysis of the code levelfrom langchain prompts import load prompt if name main loaded prompt load prompt lc prompts system py langchain prompts loading load promptlangchain utilities loading try load from hubIt is matched first HUB PATH RE re compile r lc Pref Ppath so the need to satisfy the initial is lc Then match the following content requiring the value of the first field to prompt the last suffix py yaml json inFinally the url of the splicing request can point to the file we set by bypassing the restrictions of the project and read and load to realize arbitrary command execution Vulnerability SummaryTrying on the latest version this vulnerability still exists The essence of this vulnerability is that it can load and execute local or specified Python files but this problem should not be so easy to exploit in practical applications because the address of the Python file must be controllable just to work Support LinksSource |
2023-07-09 20:40:34 |
| 海外TECH |
Engadget |
Evernote is relocating to Europe after laying off most of its US workforce |
https://www.engadget.com/evernote-is-relocating-to-europe-after-laying-off-most-of-its-us-workforce-205012133.html?src=rss
|
Evernote is relocating to Europe after laying off most of its US workforceEvernote has axed most of its workforce In a statement shared with SFGate Bending Spoons the Milan based app developer that bought the company last November said Friday it had laid off nearly all of Evernote s employees in the US and Chile Bending Spoons plans to move most of the company s remaining operations to Europe The layoffs come less than six months after the firm cut positions at Evernote because the app had been unprofitable for years Bending Spoons didn t share exactly how many employees were affected by this latest round of layoffs A scan of LinkedIn reveals some software engineers that had been with Evernote for a few years lost their jobs on Friday Our plans for Evernote are as ambitious as ever Going forward a growing dedicated team based in Europe will continue to assume ownership of the Evernote product Bending Spoons CEO Luca Ferrari told SFGate This team will also be in an ideal position to leverage the extensive expertise and strength of the plus workforce at Bending Spoons many of whom have been working on Evernote full time since the acquisition Ferrari added Bending Spoons would provide affected employees with weeks of salary a prorated performance bonus and up to one year of health insurance How the company plans to make Evernote successful in a market crowded with competitors like Notion and Obsidian Ferrari did not say Whatever Bending Spoons has planned for Evernote there s no denying this marks another low point for what was once one of the more popular note taking apps you could download and an early darling of the App Store boom Evernote enjoyed a valuation of billion at its height but a lack of focus and buggy software left the company a shell of itself in recent years This article originally appeared on Engadget at |
2023-07-09 20:50:12 |
| ニュース |
BBC News - Home |
Joe Biden lands in UK to meet Sunak amid concern over Ukraine cluster bombs |
https://www.bbc.co.uk/news/world-europe-66146457?at_medium=RSS&at_campaign=KARANGA
|
ukraine |
2023-07-09 20:56:05 |
| ニュース |
BBC News - Home |
Wimbledon 2023 results: Iga Swiatek fights back to beat Belinda Bencic, Elina Svitolina wins |
https://www.bbc.co.uk/sport/tennis/66147934?at_medium=RSS&at_campaign=KARANGA
|
Wimbledon results Iga Swiatek fights back to beat Belinda Bencic Elina Svitolina winsTop seed Iga Swiatek saves two match points to fend off Belinda Bencic in thrilling fashion and reach a first Wimbledon quarter final |
2023-07-09 20:27:33 |
| ビジネス |
ダイヤモンド・オンライン - 新着記事 |
マンション節税と生前贈与、2024年に相続税2大節税術のルール改正で大増税時代へ - 今週の週刊ダイヤモンド ここが見どころ |
https://diamond.jp/articles/-/325818
|
マンション節税と生前贈与、年に相続税大節税術のルール改正で大増税時代へ今週の週刊ダイヤモンドここが見どころ『週刊ダイヤモンド』月・日合併号の第特集は「やってはいけない相続生前贈与」です。 |
2023-07-10 05:30:00 |
| ビジネス |
ダイヤモンド・オンライン - 新着記事 |
転職活動で憂さ晴らし? 採用担当者はお見通し - WSJ発 |
https://diamond.jp/articles/-/325899
|
憂さ晴らし |
2023-07-10 05:26:00 |
| ビジネス |
ダイヤモンド・オンライン - 新着記事 |
米国のリモートワーク、予想外の職種にも浸透 - WSJ発 |
https://diamond.jp/articles/-/325900
|
職種 |
2023-07-10 05:25:00 |
| ビジネス |
ダイヤモンド・オンライン - 新着記事 |
弁護士、会計士、税理士…AI時代を勝ち抜く「正道」とは?5年後の士業を大展望 - 日本再浮上&AIで激変! 5年後のシン・業界地図 |
https://diamond.jp/articles/-/325726
|
chatgpt |
2023-07-10 05:25:00 |
| ビジネス |
ダイヤモンド・オンライン - 新着記事 |
中国から頭脳流出、経済に深刻な影響も - WSJ発 |
https://diamond.jp/articles/-/325901
|
頭脳流出 |
2023-07-10 05:23:00 |
| ビジネス |
ダイヤモンド・オンライン - 新着記事 |
米国株「強気相場入り」は本物か、過去50年の強気相場から占う株価の行方 - 政策・マーケットラボ |
https://diamond.jp/articles/-/325804
|
sampp |
2023-07-10 05:20:00 |
| ビジネス |
ダイヤモンド・オンライン - 新着記事 |
損害保険会社の売り上げの過半を占める「自動車保険」の先行きは? - ダイヤモンド保険ラボ |
https://diamond.jp/articles/-/325824
|
売り上げ |
2023-07-10 05:15:00 |
| ビジネス |
ダイヤモンド・オンライン - 新着記事 |
「画像生成AIで稼ぐ」方法をAI絵師が伝授、誰でもつくれる実例を図解で徹底解説 - ChatGPTで激変!コスパ・タイパで選ぶ 最強の資格&副業&学び直し |
https://diamond.jp/articles/-/325370
|
chatgpt |
2023-07-10 05:10:00 |
| ビジネス |
ダイヤモンド・オンライン - 新着記事 |
20代、30代もリストラの対象に…レイオフされたら転職で不利になる?【専門家が解説】 - 転職で幸せになる人、不幸になる人 丸山貴宏 |
https://diamond.jp/articles/-/325823
|
人員削減 |
2023-07-10 05:05:00 |
| ビジネス |
電通報 | 広告業界動向とマーケティングのコラム・ニュース |
関西電力が後世に伝える黒部川の産業遺産 |
https://dentsu-ho.com/articles/8611
|
産業遺産 |
2023-07-10 06:00:00 |
| ビジネス |
東洋経済オンライン |
「飼料サーチャージ」では酪農を救えない根本理由 農水省で議論、乳価に飼料費を反映させる制度 | 食品 | 東洋経済オンライン |
https://toyokeizai.net/articles/-/684973?utm_source=rss&utm_medium=http&utm_campaign=link_back
|
東洋経済オンライン |
2023-07-10 05:50:00 |
| ビジネス |
東洋経済オンライン |
IoT家電規格「黒船襲来」に日本勢はどっちつかず スマートホームでも日本は「ガラパゴス化」? | IT・電機・半導体・部品 | 東洋経済オンライン |
https://toyokeizai.net/articles/-/683749?utm_source=rss&utm_medium=http&utm_campaign=link_back
|
人工知能 |
2023-07-10 05:40:00 |
| ビジネス |
東洋経済オンライン |
ホンダが「脱エンジン」で大ナタ、系列は戦々恐々 宗一郎時代から取引の八千代も印企業に売却へ | 経営 | 東洋経済オンライン |
https://toyokeizai.net/articles/-/685212?utm_source=rss&utm_medium=http&utm_campaign=link_back
|
戦々恐々 |
2023-07-10 05:30:00 |
| ビジネス |
東洋経済オンライン |
不動産投資「利回り5%以下」は破綻まっしぐら プロが「危険」と口を揃える5つの理由 | 不動産 | 東洋経済オンライン |
https://toyokeizai.net/articles/-/685186?utm_source=rss&utm_medium=http&utm_campaign=link_back
|
不動産投資 |
2023-07-10 05:20:00 |
| 海外TECH |
reddit |
Post Game Thread (Jul 9, 2023): Mariners (45-44) @ Astros (50-41) |
https://www.reddit.com/r/Astros/comments/14v9562/post_game_thread_jul_9_2023_mariners_4544_astros/
|
Post Game Thread Jul Mariners Astros Line Score Game Over R H E LOB SEA HOU Box Score HOU AB R H RBI BB SO BA B Dubón B Bregman RF Tucker B Abreu J DH Diaz Y LF McCormick SS Peña CF Meyers C Maldonado M HOU IP H R ER BB SO P S ERA Bielak Montero Abreu B Maton P SEA AB R H RBI BB SO BA SS Crawford J CF Rodríguez Ju B France T RF Hernández T B Suárez E LF Kelenic C Raleigh DH Ford M B Wong Ko SEA IP H R ER BB SO P S ERA Gilbert L Brash Sewald Scoring Plays Inning Event Score T Teoscar Hernandez doubles on a sharp line drive to center fielder Jake Meyers Julio Rodriguez scores Ty France to rd T Jarred Kelenic doubles on a sharp line drive to center fielder Jake Meyers Ty France scores Teoscar Hernandez scores B Martin Maldonado homers on a fly ball to right center field Highlights Description Length Video Bullpen availability for Houston July vs Mariners Video Bullpen availability for Seattle July vs Astros Video Fielding alignment for Houston July vs Mariners Video Breaking down Brandon Bielak s pitches Video Brandon Bielak s outing against the Mariners Video The distance behind Martín Maldonado s home run Video An animated look at Martín Maldonado s home run Video Breaking down Logan Gilbert s pitches Video Logan Gilbert s outing against the Astros Video Chas McCormick leaps into the wall to make a catch Video Teoscar Hernández floats an RBI double to left center Video Jarred Kelenic laces a two run double to right center Video Jeremy Peña ranges to his right to make a smooth play Video Brandon Bielak strikes out Cal Raleigh swinging Video Martín Maldonado cranks a solo homer to right center Video Brandon Bielak strikes out five against the Mariners Video Julio Rodríguez laces a single to center field Video Logan Gilbert strikes out Chas McCormick swinging Video Logan Gilbert fans six during his quality start Video Decisions Winning Pitcher Losing Pitcher Save Gilbert L ERA Bielak ERA Sewald SV ERA Game ended at PM submitted by u AstrosBot to r Astros link comments |
2023-07-09 20:40:29 |
コメント
コメントを投稿