CVE-2024-5753

Name of the Vulnerable Software and Affected Versions: vanna-ai/vanna version v0.3.4

Description: The issue allows unauthenticated remote users to read arbitrary local files on the victim server, including sensitive files like /etc/passwd, by exploiting exposed SQL queries via a Python Flask API. This is made possible through SQL injection in some file-critical functions such as pg read file().

Recommendations: For version v0.3.4, consider disabling the pg read file() function until a patch is available to prevent exploitation of the SQL injection vulnerability. Restrict access to sensitive files and ensure proper input validation and sanitization in the Python Flask API to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.