CVE-2024-8099 Information

Description

A Server-Side Request Forgery (SSRF) vulnerability exists in the latest version of vanna-ai/vanna when using DuckDB as the database. An attacker can exploit this vulnerability by submitting crafted SQL queries that leverage DuckDB’s default features such as read_csv read_csv_auto read_text and read_blob to make unauthorized requests to internal or external resources. This can lead to unauthorized access to sensitive data internal systems and potentially further attacks.

Reference

https://huntr.com/bounties/19b96694-ed52-4ee4-8d2c-6cc7bd09c0ad