SQL Injection via generate_sql Result Execution
A SQL injection vulnerability was discovered in vanna-ai/vanna version 0.6.2, allowing attackers to execute arbitrary SQL commands. The issue was patched in a subsequent release.
Available publicly on Oct 01 2024
Remediation Steps
- Update to the latest version of vanna-ai/vanna where the vulnerability is patched.
- Implement stricter validation and sanitization of SQL queries generated by the LLM.
- Use a read-only database user and enforce row-level security to mitigate the impact of potential SQL injection attacks.
- Regularly review and update security practices to protect against similar vulnerabilities.
Patch Details
- Fixed Version: N/A
- Patch Commit: N/A
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.