Malicious Package Injection

DuckDB is vulnerable to malicious package injection. The vulnerability is due to unauthorized access and compromise of the npm package publishing process, which allowed an attacker to upload malicious versions of DuckDB’s Node.js packages containing code that interfered with cryptocurrency...

EUVD-2024-0052

Malicious code in bioql PyPI...

DuckDB 安全漏洞

DuckDB is an in-process SQL OLAP database management system from DuckDB open source. A security vulnerability exists in DuckDB that stems from malicious code being planted in npm packages that could interfere with cryptocurrency transactions. The following products and versions are affected: duck...

CVE-2024-8099

CVE-2024-8099 describes a Server-Side Request Forgery (SSRF) in the latest version of vanna-ai/vanna when using DuckDB as the database. The vulnerability allows an attacker to craft SQL queries leveraging DuckDB default features such as read_csv, read_csv_auto, read_text, and read_blob to make un...

CVE-2024-41672

DuckDB is a SQL database management system. In versions 1.0.0 and prior, content in filesystem is accessible for reading using sniffcsv, even with enableexternalaccess=false. This vulnerability provides an attacker with access to filesystem even when access is expected to be disabled and other...

aau-gomapedge-etl (=0.4.1), altimate-dataminion (>=0.0.11 <=0.0.20) +45 more potentially affected by CVE-2024-41672 via duckdb (=1.0.0)

duckdb PYPI version =1.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on duckdb and may be impacted: - aau-gomapedge-etl =0.4.1 - altimate-dataminion =0.0.11, =0.3.0.2, =0.14.0, =2.2.1, =0.2.2, =0.10.23, =0.10.0, =0.1.3, =1.0.1, =0.3.0, =0.7.3 and mo...

DuckDB < 1.1.0 Unauthorized Filesystem Read (CVE-2024-41672)

The version of DuckDB installed on the remote host is affected by a vulnerability as referenced in the CVE-2024-41672 advisory. - In versions 1.0.0 and prior, content in filesystem is accessible for reading using 'sniffcsv', even with 'enableexternalaccess=false'. This vulnerability provides an...

A SQL Injection in DuckDB via prompt can lead to RCE

Target Link Description sql = f""" SELECT ftsmainself.tablename.matchbm25self.nodeidcolumn, 'query' AS score, self.nodeidcolumn, self.textcolumn FROM self.tablename WHERE score IS NOT NULL ORDER BY score DESC LIMIT self.similaritytopk; """ The duckdbretriever performs "search using string" and...

PYSEC-2024-203

DuckDB is a SQL database management system. In versions 1.0.0 and prior, content in filesystem is accessible for reading using sniffcsv, even with enableexternalaccess=false. This vulnerability provides an attacker with access to filesystem even when access is expected to be disabled and other...

a-data-processing (=0.0.1), aau-gomapedge-etl (>=0.3.2 <=0.4.1) +209 more potentially affected by CVE-2024-41672 via duckdb (>=0.10.0 <=1.0.0)

duckdb PYPI version =0.10.0, =0.3.2, =0.6.0, =0.8.6, =0.0.3, =0.2.0, =0.2.4.9rc0, =1.3.0, =0.34.0, =0.4.0, =0.9.2, =0.9.4 and more Source cves: CVE-2024-41672 Source advisory: OSV:PYSEC-2024-203...

DuckDB 安全漏洞

DuckDB is an in-process SQL OLAP database management system from DuckDB open source. A security vulnerability exists in DuckDB 1.0.0 and earlier versions, which stems from the ability of sniffcsv to provide file system access even when enableexternalaccess is disabled, which could allow an attack...