PyPi: Vanna

CVE-2024-5753

Safety vulnerability ID: 72081

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Jul 05, 2024 Updated at Nov 29, 2024

Scan your Python projects for vulnerabilities →

Advisory

vanna-ai/vanna version affected versions are vulnerable to SQL injection in some file-critical functions such as `pg_read_file()`. This vulnerability allows unauthenticated remote users to read arbitrary local files on the victim server, including sensitive files like `/etc/passwd`, by exploiting the exposed SQL queries via a Python Flask API.

Affected package

vanna

Latest version: 0.7.5

Generate SQL queries from natural language

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

https://huntr.com/bounties/a3f913d6-c717-4528-b974-26d8d9e839ca
https://github.com/advisories/GHSA-mwxm-35f8-6vg2
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5753

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application