Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Local File Read (LFI) by Prompt Injection via SnowFlake SQL in vanna-ai/vanna
Vulnerability Description
Vanna v0.6.3 is vulnerable to SQL injection via Snowflake database in its file staging operations using the `PUT` and `COPY` commands. This vulnerability allows unauthenticated remote users to read arbitrary local files on the victim server, such as `/etc/passwd`, by exploiting the exposed SQL queries through a Python Flask API.
CVSS Information
N/A
Vulnerability Type
SQL命令中使用的特殊元素转义处理不恰当(SQL注入)
Vulnerability Title
Vanna 信息泄露漏洞
Vulnerability Description
Vanna是Vanna公司的一个个性化 AI SQL 代理。 Vanna v0.6.3版本存在信息泄露漏洞,该漏洞源于在使用PUT和COPY命令进行文件暂存操作时,通过Snowflake数据库存在SQL注入,允许未经验证的远程用户读取受害者服务器上的任意本地文件。
CVSS Information
N/A
Vulnerability Type
N/A