MindsDB has arbitrary file write in file.py
CVE-2023-50731

9.1CRITICAL

Key Information:

Vendor

mindsdb

Status
mindsdb
Vendor
CVE Published:
22 December 2023

What is CVE-2023-50731?

MindsDB, a SQL Server designed for artificial intelligence, exhibits a path injection vulnerability in its API. This occurs when user-controlled name values are not validated in the put method, specifically in the file management namespace. Unauthorized users can exploit this weakness to manipulate temporary file names, leading to potential unauthorized file access and arbitrary file writing. While MindsDB attempts file type checks post-write, the lack of initial validation allows potentially dangerous files to persist on the server, which also enables attackers to delete critical zip or tar.gz files. Security updates are essential to mitigate this vulnerability.

Affected Version(s)

mindsdb < 23.11.4.1

References

https://securitylab.github.com/advisories/GHSL-2023-182_G...
x_refsource_CONFIRM
https://github.com/mindsdb/mindsdb/security/advisories/GH...
x_refsource_MISC
https://github.com/mindsdb/mindsdb/blob/1821da719f34c0228...
x_refsource_MISC

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.