CVE-2024-5565

Prompt Injection in "ask" API with visualization leads to RCE

Description

The Vanna library uses a prompt function to present the user with visualized results, it is possible to alter the prompt using prompt injection and run arbitrary Python code instead of the intended visualization code. Specifically - allowing external input to the library’s “ask” method with "visualize" set to True (default behavior) leads to remote code execution.

INFO

Published Date :

2024-05-31T14:24:21.663Z

Last Modified :

2024-11-25T12:52:55.405Z

Source :

JFROG

AFFECTED PRODUCTS

The following products are affected by CVE-2024-5565 vulnerability.

Vendors	Products
Vanna-ai	Vanna

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-5565.

URL	Resource
https://research.jfrog.com/vulnerabilities/vanna-prompt-injection-rce-jfsa-2024-001034449/

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact