MindsDB Platform Vulnerability: Deserialization of Untrusted Data Can Lead to Arbitrary Code Execution
CVE-2024-45854

7.5HIGH

Key Information:

Vendor: Mindsdb
Status: Mindsdb
Vendor: CVE Published:; 12 September 2024

What is CVE-2024-45854?

A deserialization vulnerability exists in the MindsDB platform starting from version 23.10.3.0, where untrusted data can be deserialized. This flaw allows an attacker to upload a malicious 'inhouse' model, which can execute arbitrary code on the server when the model is queried with a 'describe' command. This can lead to severe security implications and compromises the integrity of the affected systems.

Affected Version(s)

mindsdb 23.10.3.0

References

https://hiddenlayer.com/sai-security-advisory/2024-09-min...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 12, 2024
Vulnerability Reserved
Sep 10, 2024

Mindsdb

What is CVE-2024-45854?

Affected Version(s)

References

CVSS V3.1

Timeline