GSA_kwCzR0hTQS03dmhqLXBmd3YtaHgzd84AA_fr

High CVSS: 8.7 EPSS: 0.00306% (0.53399 Percentile) EPSS:

Permalink JSON

MindsDB Deserialization of Untrusted Data vulnerability

Affected Packages	Affected Versions	Fixed Versions
pypi:mindsdb	>= 23.3.2.0, <= 24.9.2.1	No known fixed version
0 Dependent packages 75 Dependent repositories 13,725 Downloads last month Affected Version Ranges All affected versions

Deserialization of untrusted data can occur in versions 23.3.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded model to run arbitrary code on the server when interacted with.

References:

https://nvd.nist.gov/vuln/detail/CVE-2024-45852
https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb
https://github.com/mindsdb/mindsdb/blob/v24.9.2.1/mindsdb/integrations/handlers/byom_handler/proc_wrapper.py#L54-L55
https://github.com/pypa/advisory-database/tree/main/vulns/mindsdb/PYSEC-2024-82.yaml
https://github.com/advisories/GHSA-7vhj-pfwv-hx3w

Identifiers

GHSA-7vhj-pfwv-hx3w

CVE-2024-45852

Risk

Severity

High

CVSS

CVSS Score: 8.7

CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS

EPSS Percentage: 0.00306

EPSS Percentile: 0.53399

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/mindsdb/mindsdb

Date and time

Published

11 months ago

Updated

11 months ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories