PyPi: Mindsdb

CVE-2024-45854

Safety vulnerability ID: 73320

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Sep 12, 2024 Updated at Nov 26, 2024

Scan your Python projects for vulnerabilities →

Advisory

MindsDB platform affected versions contain a critical vulnerability in the 'describe' function of the BYOM (Bring Your Own Model) handler. This function deserializes untrusted data from 'inhouse' models using pickle.loads(), potentially allowing arbitrary code execution on the server when a user runs a 'describe' query on a maliciously crafted model. Attackers could exploit this vulnerability to compromise the system, access sensitive data, or perform unauthorized actions. MindsDB users should exercise extreme caution when using 'inhouse' models, especially from untrusted sources, and consider disabling this feature until a security patch is available.

Affected package

mindsdb

Latest version: 24.11.4.0

MindsDB's AI SQL Server enables developers to build AI tools that need access to real-time data to perform their tasks

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

HIGH 7.5

CVSS v3 Details

HIGH 7.5

Attack Vector (AV): NETWORK
Attack Complexity (AC): HIGH
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality Impact (C): HIGH
Integrity Impact (I): HIGH
Availability Availability (A): HIGH