GHSA-34mr-6q8x-g9r6

Suggest an improvement
Source
https://github.com/advisories/GHSA-34mr-6q8x-g9r6
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-34mr-6q8x-g9r6/GHSA-34mr-6q8x-g9r6.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-34mr-6q8x-g9r6
Aliases
Related
Published
2023-12-12T00:48:48Z
Modified
2024-11-22T18:41:25.257215Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
Server-Side Request Forgery in mindsdb
Details

Impact

The put method in mindsdb/mindsdb/api/http/namespaces/file.py does not validate the user-controlled URL in the source variable and uses it to create arbitrary requests on line 115, which allows Server-side request forgery (SSRF). This issue may lead to Information Disclosure. The SSRF allows for forging arbitrary network requests from the MindsDB server. It can be used to scan nodes in internal networks for open ports that may not be accessible externally, as well as scan for existing files on the internal network. It allows for retrieving files with csv, xls, xlsx, json or parquet extensions, which will be viewable via MindsDB GUI. For any other existing files, it is a blind SSRF.

Patches

Use mindsdb staging branch or v23.11.4.1

References

Database specific 
{
    "nvd_published_at": "2023-12-11T19:15:09Z",
    "cwe_ids": [
        "CWE-918"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-12T00:48:48Z"
}
References

Affected packages

PyPI / mindsdb

Package

Name
mindsdb
View open source insights on deps.dev
Purl
pkg:pypi/mindsdb

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
23.11.4.1

Affected versions

0.*

0.6.5
0.6.6
0.6.7
0.6.8
0.6.9
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
0.7.5
0.7.6
0.7.7
0.7.8
0.7.9
0.8.0
0.8.1
0.8.2
0.8.3
0.8.4
0.8.5
0.8.6
0.8.7
0.8.8
0.8.9
0.8.9.1
0.8.9.2
0.8.9.3
0.8.9.4
0.8.9.5
0.8.9.6
0.8.9.7
0.8.9.8
0.9.0.0
0.9.0.1
0.9.1.0
0.9.2.0

1.*

1.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9
1.1.0
1.1.2
1.1.3
1.1.7
1.1.9
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.8
1.2.9
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.4.7
1.4.9
1.4.10
1.5.0
1.5.1
1.5.2
1.5.4
1.6.0
1.6.3
1.6.4
1.6.5
1.6.6
1.6.7
1.6.8
1.6.12
1.6.13
1.6.15
1.6.17
1.6.18
1.7.0
1.7.1
1.7.2
1.7.3
1.7.5
1.7.6
1.7.7
1.7.8
1.7.9
1.7.10
1.7.11
1.7.12
1.7.13
1.7.14
1.7.15
1.7.16
1.7.17
1.7.18
1.7.19
1.7.20
1.7.21
1.7.22
1.7.23
1.8.0
1.8.2
1.9.0
1.9.1
1.9.2
1.9.3
1.9.5
1.9.6
1.10.0
1.10.2
1.10.3
1.11.0
1.11.2
1.11.3
1.11.4
1.11.5
1.11.8
1.12.0
1.12.1
1.12.2
1.12.3
1.12.4
1.12.5
1.12.7
1.12.8
1.12.9
1.13.0
1.13.2
1.13.3
1.13.4
1.13.5
1.13.6
1.13.7
1.13.8
1.13.9
1.13.10
1.13.11
1.13.12
1.13.15
1.14.0
1.14.1
1.14.2
1.14.3
1.14.4
1.15.1
1.15.2
1.15.6
1.16.0
1.16.1
1.16.2
1.17.0
1.17.1
1.17.2
1.17.3
1.17.4
1.17.6
1.17.8
1.17.9
1.18.0
1.18.1
1.18.2
1.18.3
1.18.5
1.18.6
1.18.7
1.19.0
1.19.1
1.20.0
1.20.1
1.21.0
1.22.0
1.23.0
1.24.0
1.24.1
1.24.2
1.25.0
1.25.1
1.25.2
1.26.0
1.26.1
1.26.2
1.26.3
1.26.4
1.26.5
1.27.0
1.27.1
1.99.0
1.99.1
1.99.3
1.99.4
1.99.5
1.99.6
1.99.7
1.99.8
1.99.9
1.99.10
1.99.11

2.*

2.0.0
2.1.0
2.1.2
2.2.0
2.2.1
2.3.0
2.4.0
2.5.0
2.6.0
2.6.1
2.7.0
2.7.1
2.7.2
2.8.0
2.8.1
2.8.3
2.9.0
2.9.1
2.10.0
2.10.1
2.10.2
2.11.0
2.11.1
2.11.2
2.11.4
2.12.0
2.13.0
2.13.1
2.13.2
2.13.3
2.13.4
2.13.5
2.13.6
2.13.7
2.13.8
2.14.0
2.15.0
2.17.1
2.18.0
2.19.0
2.19.1
2.19.2
2.19.4
2.19.5
2.20.0
2.20.1
2.20.2
2.21.0
2.21.1
2.21.2
2.21.3
2.22.0
2.22.1
2.22.2
2.23.0
2.24.0
2.24.1
2.25.0
2.25.1
2.25.2
2.25.3
2.26.0
2.27.0
2.28.0
2.30.0
2.30.1
2.31.0
2.32.0
2.33.0
2.34.0
2.35.0
2.36.0
2.37.0
2.38.0
2.39.0
2.40.0
2.41.1
2.41.2
2.42.0
2.42.1
2.42.2
2.43.0
2.44.0
2.45.0
2.45.1
2.45.2
2.50.0
2.51.0
2.51.1
2.51.2
2.52.0
2.53.0
2.54.0
2.55.0
2.55.1
2.55.2
2.56.0
2.57.0
2.58.0
2.58.1
2.58.2
2.58.3
2.59.0
2.60.0
2.60.1
2.61.0
2.62.0
2.62.1
2.62.2
2.62.3
2.62.4

22.*

22.1.4.0
22.1.4.1
22.2.1.0
22.2.1.2
22.2.2.0
22.2.2.1
22.2.4.0
22.2.4.1
22.3.1.0
22.3.3.0
22.3.4.0
22.3.4.1
22.3.4.2
22.3.4.3
22.3.5.0
22.4.2.0
22.4.2.1
22.4.2.2
22.4.3.0
22.4.5.0
22.5.1.0
22.5.1.1
22.5.1.2
22.5.2.0
22.5.4.0
22.6.1.0
22.6.1.1
22.6.1.2
22.6.2.0
22.6.2.1
22.6.2.2
22.7.3.0
22.7.3.1
22.7.3.2
22.7.3.3
22.7.3.4
22.7.4.0
22.7.4.1
22.7.5.0
22.7.5.1
22.8.2.0
22.8.2.1
22.8.3.0
22.8.3.1
22.8.4.0
22.8.4.1
22.8.5.0
22.9.3.0
22.9.3.1
22.9.4.0
22.9.5.1
22.9.5.2
22.9.5.3
22.9.5.4
22.10.2.0
22.10.2.1
22.11.3.0
22.11.3.2
22.11.4.0
22.11.4.1
22.11.4.2
22.11.4.3
22.12.4.0
22.12.4.2
22.12.4.3

23.*

23.1.3.0
23.1.3.1
23.1.3.2
23.1.5.0
23.2.1.0
23.2.2.1
23.2.3.0
23.2.3.1
23.2.4.0
23.2.4.1
23.2.4.2
23.2.4.3
23.3.2.0
23.3.3.0
23.3.3.1
23.3.3.2
23.3.3.3
23.3.3.4
23.3.3.5
23.3.4.0
23.3.5.0
23.4.3.0
23.4.3.1
23.4.3.2
23.4.4.0
23.4.4.1
23.4.4.2
23.4.4.3
23.4.4.4
23.5.3.1
23.5.3.2
23.5.4.1
23.6.1.1
23.6.2.0
23.6.3.0
23.6.3.1
23.6.4.0
23.6.5.0
23.6.5.1
23.7.1.0
23.7.2.0
23.7.3.1
23.7.4.0
23.7.4.1
23.8.1.0
23.8.3.0
23.9.1.0
23.9.1.1
23.9.2.0
23.9.2.1
23.9.3.0
23.9.3.1
23.10.2.0
23.10.3.0
23.10.3.1
23.10.5.0
23.11.1.0
23.11.4.0