Vanna SQL Injection Vulnerability Allowing Arbitrary File Read on Snowflake Database
Vulnerability
A SQL injection vulnerability has been identified in Vanna version 0.6.3, specifically within its file staging operations involving the Snowflake database. This issue arises when using the 'PUT' and 'COPY' commands, allowing unauthenticated remote users to exploit exposed SQL queries through a Python Flask API. The exploitation enables the reading of arbitrary local files on the victim server, such as '/etc/passwd'.
Impact
Exploitation of this vulnerability could lead to unauthorized reading of sensitive files on the victim server, including SSH keys, artifact information, internal configurations, and other sensitive documents.
Reproduction
To reproduce this vulnerability, upload a file containing a payload to a Snowflake stage using the 'PUT' command. Then, create a table to hold the leaked data and use the 'COPY' command to transfer the file contents into the table. Finally, execute a SQL query to read the data from the table, which will include the contents of the previously uploaded file.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.