GHSA-mwxm-35f8-6vg2

Suggest an improvement
Source
https://github.com/advisories/GHSA-mwxm-35f8-6vg2
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-mwxm-35f8-6vg2/GHSA-mwxm-35f8-6vg2.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-mwxm-35f8-6vg2
Aliases
  • CVE-2024-5753
Published
2024-07-05T21:31:44Z
Modified
2024-07-08T14:44:47.208178Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Vanna vulnerable to SQL Injection
Details

vanna-ai/vanna version v0.3.4 is vulnerable to SQL injection in some file-critical functions such as pg_read_file(). This vulnerability allows unauthenticated remote users to read arbitrary local files on the victim server, including sensitive files like /etc/passwd, by exploiting the exposed SQL queries via a Python Flask API.

Database specific
{
    "nvd_published_at": "2024-07-05T20:15:02Z",
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-08T14:21:03Z"
}
References

Affected packages

PyPI / vanna

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
0.3.4

Affected versions

0.*

0.0.1
0.0.2
0.0.3
0.0.4
0.0.5
0.0.6
0.0.7
0.0.8
0.0.9
0.0.10
0.0.11
0.0.12
0.0.13
0.0.14
0.0.15
0.0.16
0.0.17
0.0.18
0.0.19
0.0.20
0.0.21
0.0.22
0.0.23
0.0.24
0.0.25
0.0.26
0.0.27
0.0.28
0.0.29
0.0.30
0.0.31
0.0.32
0.0.33
0.0.34
0.0.35
0.0.36
0.0.37
0.0.38
0.1.0
0.1.1
0.2.0
0.2.1
0.3.0
0.3.1
0.3.2
0.3.3
0.3.4