CVE-2024-45854

Deserialization of untrusted data can occur in versions 23.10.3.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when a ‘describe’ query is run on it.
References
Link Resource
https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb/ Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:mindsdb:mindsdb:*:*:*:*:*:*:*:*

History

16 Sep 2024, 18:02

Type Values Removed Values Added
Summary
  • (es) La deserialización de datos no confiables puede ocurrir en las versiones 23.10.3.0 y posteriores de la plataforma MindsDB, lo que permite que un modelo "interno" cargado maliciosamente ejecute código arbitrario en el servidor cuando se ejecuta una consulta "describe" en él.
First Time Mindsdb
Mindsdb mindsdb
CVSS v2 : unknown
v3 : 7.1
v2 : unknown
v3 : 7.5
References () https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb/ - () https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb/ - Exploit, Third Party Advisory
CPE cpe:2.3:a:mindsdb:mindsdb:*:*:*:*:*:*:*:*

12 Sep 2024, 13:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-12 13:15

Updated : 2024-09-16 18:02


NVD link : CVE-2024-45854

Mitre link : CVE-2024-45854

CVE.ORG link : CVE-2024-45854


JSON object : View

Products Affected

mindsdb

  • mindsdb
CWE
CWE-502

Deserialization of Untrusted Data