CVE-2024-45846

An arbitrary code execution vulnerability exists in versions 23.10.3.0 up to 24.7.4.1 of the MindsDB platform, when the Weaviate integration is installed on the server. If a specially crafted ‘SELECT WHERE’ clause containing Python code is run against a database created with the Weaviate engine, the code will be passed to an eval function and executed on the server.
References
Link Resource
https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb/ Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:mindsdb:mindsdb:*:*:*:*:*:*:*:*

History

16 Sep 2024, 17:30

Type Values Removed Values Added
CPE cpe:2.3:a:mindsdb:mindsdb:*:*:*:*:*:*:*:*
First Time Mindsdb
Mindsdb mindsdb
CWE CWE-94
References () https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb/ - () https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb/ - Exploit, Third Party Advisory
Summary
  • (es) Existe una vulnerabilidad de ejecución de código arbitrario en las versiones 23.10.3.0 a 24.7.4.1 de la plataforma MindsDB, cuando la integración de Weaviate está instalada en el servidor. Si se ejecuta una cláusula 'SELECT WHERE' especialmente manipulada que contiene código Python en una base de datos creada con el motor Weaviate, el código se pasará a una función eval y se ejecutará en el servidor.

12 Sep 2024, 13:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-12 13:15

Updated : 2024-09-16 17:30


NVD link : CVE-2024-45846

Mitre link : CVE-2024-45846

CVE.ORG link : CVE-2024-45846


JSON object : View

Products Affected

mindsdb

  • mindsdb
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')

CWE-95

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')