Vanna v0.3.4 vulnerable to SQL injection in Flask Web APIs
CVE-2024-5827

9.8CRITICAL

Key Information:

Vendor: Vanna-ai
Status: Vanna-ai/vanna
Vendor: CVE Published:; 28 June 2024

What is CVE-2024-5827?

Vanna v0.3.4 is susceptible to SQL injection vulnerabilities specifically within its DuckDB integration via Flask Web APIs. This vulnerability allows attackers to inject malicious SQL training data, which can lead to the generation of arbitrary queries capable of writing files on the victim's file system. This exploitation could result in the creation of files such as backdoor.php, containing potentially harmful PHP code that enables command execution and unauthorized access to the system.

Affected Version(s)

vanna-ai/vanna <= unspecified

References

https://huntr.com/bounties/e4e64a51-618b-41d0-8f56-1d2146...

EPSS Score

46% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 28, 2024
Vulnerability Reserved
Jun 10, 2024

Vanna-ai

What is CVE-2024-5827?

Affected Version(s)

References

EPSS Score

CVSS V3.1

Timeline