Home > Vulnerability Database > CVE-2024-5565

Mend.io Vulnerability Database

CVE-2024-5565

Good to know:

Date: May 31, 2024

The Vanna library uses a prompt function to present the user with visualized results, it is possible to alter the prompt using prompt injection and run arbitrary Python code instead of the intended visualization code. Specifically - allowing external input to the library’s “ask” method with "visualize" set to True (default behavior) leads to remote code execution.

Language: Python

Severity Score

8.1

Related Resources (5)

Url: https://github.com/vanna-ai/vanna

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-5565

Url: https://research.jfrog.com/vulnerabilities/vanna-prompt-injection-rce-jfsa-2024-001034449

Url: https://research.jfrog.com/vulnerabilities/vanna-prompt-injection-rce-jfsa-2024-001034449/

Url: https://www.mend.io/vulnerability-database/CVE-2024-5565

Severity Score

8.1

Weakness Type (CWE)

Improper Neutralization of Special Elements used in a Command ('Command Injection')

CWE-77

Improper Control of Generation of Code ('Code Injection')

CWE-94

Top Fix

Upgrade Version

Upgrade to version vanna - 0.6.0

Learn More

CVSS v3.1

Base Score:	8.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-5565

Good to know:

Date: May 31, 2024

Language: Python

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?