Free Trial

CVE-2024-5826 : VANNA-AI VANNA SRC/VANNA/BASE/BASE.PY VANNA.ASK CODE INJECTION

Description

In the latest version of vanna-ai/vanna, the `vanna.ask` function is vulnerable to remote code execution due to prompt injection. The root cause is the lack of a sandbox when executing LLM-generated code, allowing an attacker to manipulate the code executed by the `exec` function in `src/vanna/base/base.py`. This vulnerability can be exploited by an attacker to achieve remote code execution on the app backend server, potentially gaining full control of the server.

References

https://huntr.com/bounties/90620087-44ac-4e43-b659-3c5d30889369

For More Information

CVERecord

Common Vulnerabilityies and Exposures

CVE-2024-5826 : VANNA-AI VANNA SRC/VANNA/BASE/BASE.PY VANNA.ASK CODE INJECTION
CVE-2024-5826 : VANNA-AI VANNA SRC/VANNA/BASE/BASE.PY VANNA.ASK CODE INJECTION

Contact us to get started

CVE-2024-6284 : GOOGLE NFTABLES UP TO 0.1.0 ADDSET INPUT VALIDATION

CVE-2024-6284 : GOOGLE NFTABLES UP TO 0.1.0 ADDSET INPUT VALIDATION

Description In https://github.com/google/nftables IP addresses were encoded in the wrong byte order, resulting in an nftables configuration which does not

Learn more
CVE-2024-34750 : APACHE TOMCAT UP TO 9.0.89/10.1.24/11.0.0-M20 HTTP/2 STREAM EXCEPTIONAL CONDITION

CVE-2024-34750 : APACHE TOMCAT UP TO 9.0.89/10.1.24/11.0.0-M20 HTTP/2 STREAM EXCEPTIONAL CONDITION

Description Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did

Learn more
CVE-2024-35227 : DISCOURSE UP TO 3.3.0.BETA2/3.2.2 URL DENIAL OF SERVICE

CVE-2024-35227 : DISCOURSE UP TO 3.3.0.BETA2/3.2.2 URL DENIAL OF SERVICE

Description Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch and version 3.3.0.beta3 on the

Learn more