CVE-2024-45853

Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when used for a prediction.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.6 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb/	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:mindsdb:mindsdb:*:*:*:*:*:*:*:*

History

16 Sep 2024, 17:59

Type	Values Removed	Values Added
First Time		Mindsdb Mindsdb mindsdb
CVSS	v2 : ~~unknown~~ v3 : ~~7.1~~	v2 : unknown v3 : 7.5
References	~~() https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb/ -~~	() https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb/ - Exploit, Third Party Advisory
CPE		cpe:2.3:a:mindsdb:mindsdb::::::::
Summary		(es) La deserialización de datos no confiables puede ocurrir en las versiones 23.10.2.0 y más nuevas de la plataforma MindsDB, lo que permite que un modelo "interno" cargado maliciosamente ejecute código arbitrario en el servidor cuando se usa para una predicción.

12 Sep 2024, 13:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-09-12 13:15

Updated : 2024-09-16 17:59

NVD link : CVE-2024-45853

Mitre link : CVE-2024-45853

CVE.ORG link : CVE-2024-45853

JSON object : View

Products Affected

mindsdb

mindsdb

CWE

CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2024-45853", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.6}, {"type": "Secondary", "source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}]}, "published": "2024-09-12T13:15:14.643", "references": [{"url": "https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb/", "tags": ["Exploit", "Third Party Advisory"], "source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-502"}]}, {"type": "Secondary", "source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded \u2018inhouse\u2019 model to run arbitrary code on the server when used for a prediction."}, {"lang": "es", "value": "La deserializaci\u00f3n de datos no confiables puede ocurrir en las versiones 23.10.2.0 y m\u00e1s nuevas de la plataforma MindsDB, lo que permite que un modelo \"interno\" cargado maliciosamente ejecute c\u00f3digo arbitrario en el servidor cuando se usa para una predicci\u00f3n."}], "lastModified": "2024-09-16T17:59:03.427", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mindsdb:mindsdb:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "84783117-4B56-466D-AC00-91037D347ADA", "versionStartIncluding": "23.10.2.0"}], "operator": "OR"}]}], "sourceIdentifier": "6f8de1f0-f67e-45a6-b68f-98777fdb759c"}