CVE-2024-24759

MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 23.12.4.2, a threat actor can bypass the server-side request forgery protection on the whole website with DNS Rebinding. The vulnerability can also lead to denial of service. Version 23.12.4.2 contains a patch.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/mindsdb/mindsdb/commit/5f7496481bd3db1d06a2d2e62c0dce960a1fe12b	Patch
https://github.com/mindsdb/mindsdb/security/advisories/GHSA-4jcv-vp96-94xr	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:mindsdb:mindsdb:*:*:*:*:*:*:*:*

History

06 Sep 2024, 13:06

Type	Values Removed	Values Added
CPE		cpe:2.3:a:mindsdb:mindsdb::::::::
References	~~() https://github.com/mindsdb/mindsdb/commit/5f7496481bd3db1d06a2d2e62c0dce960a1fe12b -~~	() https://github.com/mindsdb/mindsdb/commit/5f7496481bd3db1d06a2d2e62c0dce960a1fe12b - Patch
References	~~() https://github.com/mindsdb/mindsdb/security/advisories/GHSA-4jcv-vp96-94xr -~~	() https://github.com/mindsdb/mindsdb/security/advisories/GHSA-4jcv-vp96-94xr - Exploit, Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~9.3~~	v2 : unknown v3 : 9.1
First Time		Mindsdb mindsdb Mindsdb
Summary		(es) MindsDB es una plataforma para crear inteligencia artificial a partir de datos empresariales. Antes de la versión 23.12.4.2, un actor de amenazas podía eludir la protección contra falsificación de solicitudes del lado del servidor en todo el sitio web con DNS Rebinding. La vulnerabilidad también puede provocar una denegación de servicio. La versión 23.12.4.2 contiene un parche.

05 Sep 2024, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-09-05 17:15

Updated : 2024-09-06 13:06

NVD link : CVE-2024-24759

Mitre link : CVE-2024-24759

CVE.ORG link : CVE-2024-24759

JSON object : View

Products Affected

mindsdb

mindsdb

CWE

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2024-24759", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.7, "exploitabilityScore": 3.9}]}, "published": "2024-09-05T17:15:12.380", "references": [{"url": "https://github.com/mindsdb/mindsdb/commit/5f7496481bd3db1d06a2d2e62c0dce960a1fe12b", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/mindsdb/mindsdb/security/advisories/GHSA-4jcv-vp96-94xr", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-918"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 23.12.4.2, a threat actor can bypass the server-side request forgery protection on the whole website with DNS Rebinding. The vulnerability can also lead to denial of service. Version 23.12.4.2 contains a patch."}, {"lang": "es", "value": "MindsDB es una plataforma para crear inteligencia artificial a partir de datos empresariales. Antes de la versi\u00f3n 23.12.4.2, un actor de amenazas pod\u00eda eludir la protecci\u00f3n contra falsificaci\u00f3n de solicitudes del lado del servidor en todo el sitio web con DNS Rebinding. La vulnerabilidad tambi\u00e9n puede provocar una denegaci\u00f3n de servicio. La versi\u00f3n 23.12.4.2 contiene un parche."}], "lastModified": "2024-09-06T13:06:18.623", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mindsdb:mindsdb:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7466EAB9-6E4E-482B-91AF-D4150D6DF97C", "versionEndExcluding": "23.12.4.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}