CVE-2024-5827

Name of the Vulnerable Software and Affected Versions Vanna version 0.3.4

Description The issue is related to the Vanna framework's web interface, specifically with its integration of DuckDB and Flask Web APIs. It allows for SQL injection, enabling attackers to inject malicious SQL training data. This can lead to the generation of queries that write arbitrary files on the victim's file system. For example, an attacker could create a backdoor by writing a file named backdoor.php with contents like <?php system($ GET[0]); ?>, which could lead to command execution. The exploitation of this issue can allow a remote attacker to execute arbitrary commands by sending specially crafted requests.

Recommendations For Vanna version 0.3.4, consider disabling the DuckDB integration in the Flask Web APIs as a temporary workaround until a patch is available. Restrict access to the vulnerable API endpoints to minimize the risk of exploitation. Avoid using user-supplied input in SQL queries until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.