Arbitrary File Write when Extracting Tarballs retrieved from a remote location using in mindsdb

CVE-2022-23522

What is CVE-2022-23522?

MindsDB, an open-source platform for machine learning, is vulnerable due to improper extraction of remotely retrieved tarballs using the shutil.unpack_archive() method. This flaw allows an attacker to craft a malicious tarball containing path traversal sequences, potentially leading to the overwriting of files outside the intended destination directory. If exploited, this vulnerability could enable unauthorized access and manipulation of critical system files. The issue is prevalent in versions prior to 22.11.4.3, and users are strongly advised to upgrade their software immediately. For those unable to upgrade, it is crucial to avoid processing archives from untrusted or suspicious sources.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References