Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Local File Read (LFI) by Prompt Injection via Postgres SQL in vanna-ai/vanna
Vulnerability Description
vanna-ai/vanna version v0.3.4 is vulnerable to SQL injection in some file-critical functions such as `pg_read_file()`. This vulnerability allows unauthenticated remote users to read arbitrary local files on the victim server, including sensitive files like `/etc/passwd`, by exploiting the exposed SQL queries via a Python Flask API.
CVSS Information
N/A
Vulnerability Type
SQL命令中使用的特殊元素转义处理不恰当(SQL注入)
Vulnerability Title
Vanna 信息泄露漏洞
Vulnerability Description
Vanna是Vanna公司的一个个性化 AI SQL 代理。 vanna v0.3.4 版本存在信息泄露漏洞,该漏洞源于某些文件相关的函数容易受到 SQL 注入攻击。未经身份验证的远程攻击者利用该漏洞可以通过 Python Flask API 利用暴露的 SQL 查询读取受害服务器上的任意本地文件。
CVSS Information
N/A
Vulnerability Type
N/A