CVE-2024-45850

An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, an ‘INSERT’ query can be used for site column creation. If such a query is specially crafted to contain Python code and is run against the database, the code will be passed to an eval function and executed on the server.
References
Link Resource
https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb/ Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:mindsdb:mindsdb:*:*:*:*:*:*:*:*

History

16 Sep 2024, 17:35

Type Values Removed Values Added
CPE cpe:2.3:a:mindsdb:mindsdb:*:*:*:*:*:*:*:*
First Time Mindsdb
Mindsdb mindsdb
Summary
  • (es) Existe una vulnerabilidad de ejecución de código arbitrario en las versiones 23.10.5.0 a 24.7.4.1 de la plataforma MindsDB, cuando la integración de Microsoft SharePoint está instalada en el servidor. Para las bases de datos creadas con el motor de SharePoint, se puede utilizar una consulta "INSERT" para la creación de columnas del sitio. Si una consulta de este tipo está especialmente manipulada para contener código Python y se ejecuta en la base de datos, el código se pasará a una función eval y se ejecutará en el servidor.
References () https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb/ - () https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb/ - Exploit, Third Party Advisory
CWE CWE-94

12 Sep 2024, 13:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-12 13:15

Updated : 2024-09-16 17:35


NVD link : CVE-2024-45850

Mitre link : CVE-2024-45850

CVE.ORG link : CVE-2024-45850


JSON object : View

Products Affected

mindsdb

  • mindsdb
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')

CWE-95

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')