CVE-2024-5753: Vanna vulnerable to SQL Injection

July 5, 2024 (updated July 8, 2024)

vanna-ai/vanna version v0.3.4 is vulnerable to SQL injection in some file-critical functions such as pg_read_file(). This vulnerability allows unauthenticated remote users to read arbitrary local files on the victim server, including sensitive files like /etc/passwd, by exploiting the exposed SQL queries via a Python Flask API.

References

github.com/advisories/GHSA-mwxm-35f8-6vg2
github.com/vanna-ai/vanna
huntr.com/bounties/a3f913d6-c717-4528-b974-26d8d9e839ca
nvd.nist.gov/vuln/detail/CVE-2024-5753

Detect and mitigate CVE-2024-5753 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →