High

vanna

SQL Injection via generate_sql Result Execution

A SQL injection vulnerability was discovered in vanna-ai/vanna version 0.6.2, allowing attackers to execute arbitrary SQL commands. The issue was patched in a subsequent release.

Available publicly on Oct 01 2024

8.1

CVSS:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Credit:

grutz
Remediation Steps
  • Update to the latest version of vanna-ai/vanna where the vulnerability is patched.
  • Implement stricter validation and sanitization of SQL queries generated by the LLM.
  • Use a read-only database user and enforce row-level security to mitigate the impact of potential SQL injection attacks.
  • Regularly review and update security practices to protect against similar vulnerabilities.
Patch Details
  • Fixed Version: N/A
  • Patch Commit: N/A
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.