CVE-2024-45847

An arbitrary code execution vulnerability exists in versions 23.11.4.2 up to 24.7.4.1 of the MindsDB platform, when one of several integrations is installed on the server. If a specially crafted ‘UPDATE’ query containing Python code is run against a database created with the specified integration engine, the code will be passed to an eval function and executed on the server.
References
Link Resource
https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb/ Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:mindsdb:mindsdb:*:*:*:*:*:*:*:*

History

16 Sep 2024, 17:31

Type Values Removed Values Added
First Time Mindsdb
Mindsdb mindsdb
References () https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb/ - () https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb/ - Exploit, Third Party Advisory
CWE CWE-94
Summary
  • (es) Existe una vulnerabilidad de ejecución de código arbitrario en las versiones 23.11.4.2 a 24.7.4.1 de la plataforma MindsDB, cuando se instala una de varias integraciones en el servidor. Si se ejecuta una consulta 'UPDATE' especialmente manipulada que contiene código Python en una base de datos creada con el motor de integración especificado, el código se pasará a una función eval y se ejecutará en el servidor.
CPE cpe:2.3:a:mindsdb:mindsdb:*:*:*:*:*:*:*:*

12 Sep 2024, 13:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-12 13:15

Updated : 2024-09-16 17:31


NVD link : CVE-2024-45847

Mitre link : CVE-2024-45847

CVE.ORG link : CVE-2024-45847


JSON object : View

Products Affected

mindsdb

  • mindsdb
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')

CWE-95

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')