Homepage

vanna@0.0.14 vulnerabilities

Generate SQL queries from natural language

  • latest version

    0.7.9

  • first published

    1 years ago

  • latest version published

    9 days ago

  • licenses detected

  • View vanna package health on Snyk Advisor  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the vanna package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Cross-site Request Forgery (CSRF)

    vanna is a Generate SQL queries from natural language

    Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) in the run_sql() function, accessible via the /api/v0/run_sql endpoint. An attacker can alter or delete (but not read) data by sending requests that include SQL commands, when the endpoint is not meant to be exposed.

    How to fix Cross-site Request Forgery (CSRF)?

    There is no fixed version for vanna.

    [0,)
    • H
    SQL Injection

    vanna is a Generate SQL queries from natural language

    Affected versions of this package are vulnerable to SQL Injection by injecting a series of PUT and COPY statements as raw SQL using the "Manually Fix" feature in the Snowflake database integration. The run_sql_snowflake() function will execute those statements on the database without sanitization. An attacker can exploit this to read arbitrary local files on the server.

    How to fix SQL Injection?

    There is no fixed version for vanna.

    [0,)
    • M
    SQL Injection

    vanna is a Generate SQL queries from natural language

    Affected versions of this package are vulnerable to SQL Injection through the pg_read_file function. An attacker can read arbitrary local files on the server by exploiting exposed SQL queries.

    Note

    By default pg_read_file() is restricted to superusers, but other users can be granted the EXECUTE permission to run this function.

    How to fix SQL Injection?

    There is no fixed version for vanna.

    [0,)
    • M
    SQL Injection

    vanna is a Generate SQL queries from natural language

    Affected versions of this package are vulnerable to SQL Injection through the integration of DuckDB with Flask Web APIs. An attacker can manipulate SQL training data to generate queries that write arbitrary files on the victim's system, potentially leading to unauthorized command execution or the creation of backdoors.

    How to fix SQL Injection?

    There is no fixed version for vanna.

    [0,)
    • C
    Code Injection

    vanna is a Generate SQL queries from natural language

    Affected versions of this package are vulnerable to Code Injection via the src/vanna/base/base.py file, where function exec execute the plotly_code which is generated by LLM in function generate_plotly_code. An attacker can achieve RCE on the app backend server via prompt injection and gain the full control of the server.

    How to fix Code Injection?

    There is no fixed version for vanna.

    [0,)
    • H
    Improper Input Validation

    vanna is a Generate SQL queries from natural language

    Affected versions of this package are vulnerable to Improper Input Validation allowing prompt injection via the ask method with the visualize parameter set to True. An attacker can execute arbitrary code by injecting malicious input into the prompt function. This is only exploitable if the visualize parameter is enabled, which is the default setting.

    How to fix Improper Input Validation?

    There is no fixed version for vanna.

    [0,)
    Go back to all versions of this package