CVE-2024-5753

Summary

vanna-ai/vanna version v0.3.4 is vulnerable to SQL injection in some file-critical functions such as pg_read_file(). This vulnerability allows unauthenticated remote users to read arbitrary local files on the victim server, including sensitive files like /etc/passwd, by exploiting the exposed SQL queries via a Python Flask API.

Affected Software

VendorProductVersion RangeStatus
vanna-aivanna-ai/vannaunspecified <= latestaffected

Weaknesses

  • CWE-89: CWE-89 Improper Neutralization of Special Elements used in an SQL Command

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

CVE Program Container

Additional References

References