CVE-2024-5565 – vanna

Package

Manager: pip
Name: vanna
Vulnerable Version: >=0 <=0.5.5

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.05104 pctl0.89429

Details

Vanna prompt injection code execution The Vanna library uses a prompt function to present the user with visualized results, it is possible to alter the prompt using prompt injection and run arbitrary Python code instead of the intended visualization code. Specifically - allowing external input to the library’s “ask” method with "visualize" set to True (default behavior) leads to remote code execution.

Metadata

Created: 2024-05-31T15:30:37Z
Modified: 2024-11-25T19:31:26Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-7735-w2jp-gvg6/GHSA-7735-w2jp-gvg6.json
CWE IDs: ["CWE-77", "CWE-94"]
Alternative ID: GHSA-7735-w2jp-gvg6
Finding: F422
Auto approve: 1