GHSA-mwxm-35f8-6vg2

Опубликовано: 05 июл. 2024

Источник: github

Github: Прошло ревью

CVSS4: 8.7

CVSS3: 7.5

Описание

Vanna vulnerable to SQL Injection

vanna-ai/vanna version v0.3.4 is vulnerable to SQL injection in some file-critical functions such as pg_read_file(). This vulnerability allows unauthenticated remote users to read arbitrary local files on the victim server, including sensitive files like /etc/passwd, by exploiting the exposed SQL queries via a Python Flask API.

Ссылки

Пакеты

Наименование

vanna

pip

Затронутые версииВерсия исправления

<= 0.3.4

Отсутствует

EPSS

Процентиль: 51%

0.00285

Низкий

8.7 High

CVSS4

7.5 High

CVSS3

CVE ID

CVE-2024-5753

Дефекты

CWE-200

CWE-89

Связанные уязвимости

CVE-2024-5753

CVSS3: 7.5

nvd

больше 1 года назад

vanna-ai/vanna version v0.3.4 is vulnerable to SQL injection in some file-critical functions such as `pg_read_file()`. This vulnerability allows unauthenticated remote users to read arbitrary local files on the victim server, including sensitive files like `/etc/passwd`, by exploiting the exposed SQL queries via a Python Flask API.

EPSS

Процентиль: 51%

0.00285

Низкий

8.7 High

CVSS4

7.5 High

CVSS3

CVE ID

CVE-2024-5753

Дефекты

CWE-200

CWE-89