The Vanna library uses a prompt function to present the user with visualized results, it is possible to alter the prompt using prompt injection and run arbitrary Python code instead of the intended visualization code. Specifically - allowing external input to the library’s “ask” method with "visualize" set to True (default behavior) leads to remote code execution.
Metrics
Affected Vendors & Products
References
History
Mon, 25 Nov 2024 13:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Vanna-ai
Vanna-ai vanna |
|
CPEs | cpe:2.3:a:vanna-ai:vanna:-:*:*:*:*:*:*:* | |
Vendors & Products |
Vanna-ai
Vanna-ai vanna |
|
Metrics |
ssvc
|
MITRE
Status: PUBLISHED
Assigner: JFROG
Published: 2024-05-31T14:24:21.663Z
Updated: 2024-11-25T12:52:55.405Z
Reserved: 2024-05-31T13:56:13.026Z
Link: CVE-2024-5565
Vulnrichment
Updated: 2024-08-01T21:18:06.558Z
NVD
Status : Awaiting Analysis
Published: 2024-05-31T15:15:09.673
Modified: 2024-11-25T13:15:07.310
Link: CVE-2024-5565
Redhat
No data.