{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-24759", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-01-29T20:51:26.010Z", "datePublished": "2024-09-05T16:30:38.659Z", "dateUpdated": "2024-09-05T17:46:08.516Z"}, "containers": {"cna": {"title": "MindsDB Vulnerable to Bypass of SSRF Protection with DNS Rebinding", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/mindsdb/mindsdb/security/advisories/GHSA-4jcv-vp96-94xr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mindsdb/mindsdb/security/advisories/GHSA-4jcv-vp96-94xr"}, {"name": "https://github.com/mindsdb/mindsdb/commit/5f7496481bd3db1d06a2d2e62c0dce960a1fe12b", "tags": ["x_refsource_MISC"], "url": "https://github.com/mindsdb/mindsdb/commit/5f7496481bd3db1d06a2d2e62c0dce960a1fe12b"}], "affected": [{"vendor": "mindsdb", "product": "mindsdb", "versions": [{"version": "< 23.12.4.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-09-05T16:30:38.659Z"}, "descriptions": [{"lang": "en", "value": "MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 23.12.4.2, a threat actor can bypass the server-side request forgery protection on the whole website with DNS Rebinding. The vulnerability can also lead to denial of service. Version 23.12.4.2 contains a patch."}], "source": {"advisory": "GHSA-4jcv-vp96-94xr", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "mindsdb", "product": "mindsdb", "cpes": ["cpe:2.3:a:mindsdb:mindsdb:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "23.12.4.2", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-05T17:45:02.937898Z", "id": "CVE-2024-24759", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-05T17:46:08.516Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-24759", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-05T17:45:02.937898Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:mindsdb:mindsdb:*:*:*:*:*:*:*:*"], "vendor": "mindsdb", "product": "mindsdb", "versions": [{"status": "affected", "version": "0", "lessThan": "23.12.4.2", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-05T17:46:02.784Z"}}], "cna": {"title": "MindsDB Vulnerable to Bypass of SSRF Protection with DNS Rebinding", "source": {"advisory": "GHSA-4jcv-vp96-94xr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "mindsdb", "product": "mindsdb", "versions": [{"status": "affected", "version": "< 23.12.4.2"}]}], "references": [{"url": "https://github.com/mindsdb/mindsdb/security/advisories/GHSA-4jcv-vp96-94xr", "name": "https://github.com/mindsdb/mindsdb/security/advisories/GHSA-4jcv-vp96-94xr", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/mindsdb/mindsdb/commit/5f7496481bd3db1d06a2d2e62c0dce960a1fe12b", "name": "https://github.com/mindsdb/mindsdb/commit/5f7496481bd3db1d06a2d2e62c0dce960a1fe12b", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 23.12.4.2, a threat actor can bypass the server-side request forgery protection on the whole website with DNS Rebinding. The vulnerability can also lead to denial of service. Version 23.12.4.2 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-09-05T16:30:38.659Z"}}}, "cveMetadata": {"cveId": "CVE-2024-24759", "state": "PUBLISHED", "dateUpdated": "2024-09-05T17:46:08.516Z", "dateReserved": "2024-01-29T20:51:26.010Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-09-05T16:30:38.659Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mindsdb:mindsdb:*:*:*:*:*:*:*:*", "matchCriteriaId": "7466EAB9-6E4E-482B-91AF-D4150D6DF97C", "versionEndExcluding": "23.12.4.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 23.12.4.2, a threat actor can bypass the server-side request forgery protection on the whole website with DNS Rebinding. The vulnerability can also lead to denial of service. Version 23.12.4.2 contains a patch."}, {"lang": "es", "value": "MindsDB es una plataforma para crear inteligencia artificial a partir de datos empresariales. Antes de la versi\u00f3n 23.12.4.2, un actor de amenazas pod\u00eda eludir la protecci\u00f3n contra falsificaci\u00f3n de solicitudes del lado del servidor en todo el sitio web con DNS Rebinding. La vulnerabilidad tambi\u00e9n puede provocar una denegaci\u00f3n de servicio. La versi\u00f3n 23.12.4.2 contiene un parche."}], "id": "CVE-2024-24759", "lastModified": "2024-09-06T13:06:18.623", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-09-05T17:15:12.380", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/mindsdb/mindsdb/commit/5f7496481bd3db1d06a2d2e62c0dce960a1fe12b"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/mindsdb/mindsdb/security/advisories/GHSA-4jcv-vp96-94xr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}