SQL Injection Vulnerability in Vanna Application by Vanna Software
CVE-2024-8055

7.5HIGH

Key Information:

Vendor

Vanna-ai

Status
Vanna-ai/vanna
Vendor
CVE Published:
20 March 2025

What is CVE-2024-8055?

The Vanna application version 0.6.3 is susceptible to an SQL injection vulnerability within its Snowflake database functionalities related to file staging. This flaw arises from unvalidated user inputs in the PUT and COPY commands, allowing unauthenticated remote attackers to execute malicious SQL queries. By exploiting this vulnerability through the exposed Python Flask API, attackers can gain unauthorized access to sensitive local files on the server, such as configuration files or user data, posing significant security risks.

Affected Version(s)

vanna-ai/vanna <= unspecified

References

https://huntr.com/bounties/7c92a611-6756-4885-8969-01d8b8...

CVSS V3.0

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.