CVE-2024-8099

Summary

CVE-2024-8099 is a newly identified Server-Side Request Forgery (SSRF) vulnerability affecting the latest version of vanna-ai/vanna when using DuckDB as the database. This issue allows an attacker to submit crafted SQL queries that leverage DuckDB's default features, including `read_csv`, `read_csv_auto`, `read_text`, and `read_blob`. By exploiting this vulnerability, an attacker can make unauthorized requests to internal or external resources, potentially leading to unauthorized access to sensitive data, internal systems, and further attacks. This poses a significant risk to organizations using this combination of tools and should be addressed promptly by applying the necessary patches.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.