vanna-ai/vanna version v0.3.4 is vulnerable to SQL injection in some file-critical functions such as `pg_read_file()`. This vulnerability allows unauthenticated remote users to read arbitrary local files on the victim server, including sensitive files like `/etc/passwd`, by exploiting the exposed SQL queries via a Python Flask API.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: @huntr_ai
Published: 2024-07-05T19:27:22.046Z
Updated: 2024-08-01T21:18:07.118Z
Reserved: 2024-06-07T16:34:29.184Z
Link: CVE-2024-5753
Vulnrichment
Updated: 2024-08-01T21:18:07.118Z
NVD
Status : Awaiting Analysis
Published: 2024-07-05T20:15:02.343
Modified: 2024-07-08T15:49:22.437
Link: CVE-2024-5753
Redhat
No data.