CVE-2024-8055

Name of the Vulnerable Software and Affected Versions Vanna version 0.6.3

Description The issue allows unauthenticated remote users to read arbitrary local files on the victim server by exploiting exposed SQL queries through a Python Flask API. This is achieved via SQL injection in the Snowflake database, specifically in file staging operations using the PUT and COPY commands.

Recommendations For Vanna version 0.6.3, consider restricting access to the Snowflake database and limiting the use of the PUT and COPY commands until a patch is available. As a temporary workaround, review and modify the Python Flask API to prevent SQL injection attacks.