漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Remote Code Execution via Prompt Injection in vanna-ai/vanna
Vulnerability Description
In the latest version of vanna-ai/vanna, the `vanna.ask` function is vulnerable to remote code execution due to prompt injection. The root cause is the lack of a sandbox when executing LLM-generated code, allowing an attacker to manipulate the code executed by the `exec` function in `src/vanna/base/base.py`. This vulnerability can be exploited by an attacker to achieve remote code execution on the app backend server, potentially gaining full control of the server.
CVSS Information
N/A
Vulnerability Type
对生成代码的控制不恰当(代码注入)
Vulnerability Title
vanna 代码注入漏洞
Vulnerability Description
Vanna是Vanna公司的一个个性化 AI SQL 代理。 vanna 存在代码注入漏洞,该漏洞源于执行 LLM 生成代码缺少沙箱,导致攻击者可以操控 src/vanna/base/base.py 中的 exec函数,攻击者利用该漏洞可以在应用后端服务器上实现远程代码执行。
CVSS Information
N/A
Vulnerability Type
N/A