| 제목 | vanna.ai vanna 2.0.2 SQL Injection |
|---|
| 설명 | Vanna utilizes large language models to understand user intents and generate SQL, enabling users to interact with databases using natural language. However, Vanna executes all SQL statements generated by the LLM without filtration. Malicious users may control the model’s output through prompt injection, leading to arbitrary SQL execution. While this may be an intentional design choice of Vanna, due to the powerful features of Oracle databases, allowing arbitrary SQL execution could enable attackers to run arbitrary commands on the target server, resulting in full server compromise. |
|---|
| 원천 | ⚠️ https://github.com/Ka7arotto/cve/blob/main/vanna-text2sql/vanna-sql-rce.md |
|---|
| 사용자 | Goku (UID 80486) |
|---|
| 제출 | 2026. 03. 06. PM 12:48 (3 개월 ago) |
|---|
| 모더레이션 | 2026. 03. 20. PM 03:28 (14 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 352078 [vanna-ai vanna 까지 2.0.2 base.py ask SQL 주입] |
|---|
| 포인트들 | 20 |
|---|