An arbitrary code execution vulnerability exists in versions 23.11.4.2 up to 24.7.4.1 of the MindsDB platform, when one of several integrations is installed on the server. If a specially crafted ‘UPDATE’ query containing Python code is run against a database created with the specified integration engine, the code will be passed to an eval function and executed on the server.
History

Mon, 16 Sep 2024 18:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94

Thu, 12 Sep 2024 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Mindsdb
Mindsdb mindsdb
CPEs cpe:2.3:a:mindsdb:mindsdb:*:*:*:*:*:*:*:*
Vendors & Products Mindsdb
Mindsdb mindsdb
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 12 Sep 2024 13:15:00 +0000

Type Values Removed Values Added
Description An arbitrary code execution vulnerability exists in versions 23.11.4.2 up to 24.7.4.1 of the MindsDB platform, when one of several integrations is installed on the server. If a specially crafted ‘UPDATE’ query containing Python code is run against a database created with the specified integration engine, the code will be passed to an eval function and executed on the server.
Weaknesses CWE-95
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: HiddenLayer

Published: 2024-09-12T12:57:42.357Z

Updated: 2024-09-12T14:37:32.950Z

Reserved: 2024-09-10T15:36:52.125Z

Link: CVE-2024-45847

cve-icon Vulnrichment

Updated: 2024-09-12T14:37:28.386Z

cve-icon NVD

Status : Analyzed

Published: 2024-09-12T13:15:13.177

Modified: 2024-09-16T17:31:04.850

Link: CVE-2024-45847

cve-icon Redhat

No data.