GHSA-crmg-rp64-5cm3

Source

https://github.com/advisories/GHSA-crmg-rp64-5cm3

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-crmg-rp64-5cm3/GHSA-crmg-rp64-5cm3.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-crmg-rp64-5cm3

Aliases

CVE-2024-45847

Published

2024-09-12T15:33:00Z

Modified

2024-09-16T21:22:51.746484Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

MindsDB Eval Injection vulnerability

Details

An arbitrary code execution vulnerability exists in versions 23.11.4.2 up to 24.7.4.1 of the MindsDB platform, when one of several integrations is installed on the server. If a specially crafted ‘UPDATE’ query containing Python code is run against a database created with the specified integration engine, the code will be passed to an eval function and executed on the server.

Database specific

{
    "github_reviewed_at": "2024-09-12T17:03:59Z",
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-94",
        "CWE-95"
    ],
    "github_reviewed": true,
    "nvd_published_at": "2024-09-12T13:15:13Z"
}

References

Affected packages

PyPI / mindsdb

Package

Name: mindsdb; View open source insights on deps.dev
Purl: pkg:pypi/mindsdb

Affected ranges

Type: ECOSYSTEM
Events: Introduced

23.11.4.2

Fixed

24.7.4.1

Affected versions

23.*

23.11.4.4a6

23.12.4.0

23.12.4.1

23.12.4.2

24.*

24.1.4.0

24.2.3.0

24.3.4.0

24.3.4.1

24.3.4.2

24.3.5.0

24.4.2.0

24.4.2.1

24.4.3.0

24.5.4.0

24.6.1.0

24.6.1.1

24.6.2.0

24.6.2.2

24.6.3.0

24.6.3.1

24.6.4.1

24.7.1.0

24.7.2.0

24.7.3.0

24.7.4.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-crmg-rp64-5cm3/GHSA-crmg-rp64-5cm3.json"