CVE-2024-6841

The vulnerability is a Cross-Site Request Forgery (CSRF) in the vanna-ai/vanna repository's built-in web application. Two endpoints that provide SQL functionality are implemented as simple GET requests, lacking CSRF tokens or other protections. This design flaw makes them susceptible to CSRF attacks [1].

An attacker can craft a malicious web page or link that, when visited by an authenticated user, triggers a GET request to the vulnerable endpoints. The attack does not require the target to intentionally expose the web app to the network; any user with an active session can be targeted. The attacker can execute arbitrary SQL commands on the underlying database [1].

The impact is limited to data alteration or deletion because the attacker cannot read the results of the query. However, this can still lead to significant data integrity issues, such as corruption or loss of critical information. The vulnerability is rated medium severity with a CVSS score of 6.5 [1].

As of the latest commit (56b782bcefd2e59b19cd7ba7878b95f54884f502), no patch has been released. Users are advised to implement CSRF protections, such as anti-CSRF tokens, or restrict access to the web app to trusted networks only [1].