CVE-2024-5827

Published Jun 28, 2024

Last updated 5 months ago

CVSS critical 9.8

Overview

Description
Vanna v0.3.4 is vulnerable to SQL injection in its DuckDB integration exposed to its Flask Web APIs. Attackers can inject malicious SQL training data and generate corresponding queries to write arbitrary files on the victim's file system, such as backdoor.php with contents `<?php system($_GET[0]); ?>`. This can lead to command execution or the creation of backdoors.
Source
security@huntr.dev
NVD status
Awaiting Analysis

Risk scores

CVSS 3.0

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

security@huntr.dev
CWE-434

Social media

Hype score
Not currently trending

References