Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS0zNG1yLTZxOHgtZzlyNs4AA3q5

Server-Side Request Forgery in mindsdb

Impact

The put method in mindsdb/mindsdb/api/http/namespaces/file.py does not validate the user-controlled URL in the source variable and uses it to create arbitrary requests on line 115, which allows Server-side request forgery (SSRF). This issue may lead to Information Disclosure. The SSRF allows for forging arbitrary network requests from the MindsDB server. It can be used to scan nodes in internal networks for open ports that may not be accessible externally, as well as scan for existing files on the internal network. It allows for retrieving files with csv, xls, xlsx, json or parquet extensions, which will be viewable via MindsDB GUI. For any other existing files, it is a blind SSRF.

Patches

Use mindsdb staging branch or v23.11.4.1

References

Permalink: https://github.com/advisories/GHSA-34mr-6q8x-g9r6
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zNG1yLTZxOHgtZzlyNs4AA3q5
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 5 months ago
Updated: 5 months ago


CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Identifiers: GHSA-34mr-6q8x-g9r6, CVE-2023-49795
References: Repository: https://github.com/mindsdb/mindsdb
Blast Radius: 12.2

Affected Packages

pypi:mindsdb
Dependent packages: 0
Dependent repositories: 75
Downloads: 16,507 last month
Affected Version Ranges: < 23.11.4.1
Fixed in: 23.11.4.1
All affected versions:
All unaffected versions: 0.6.5, 0.6.6, 0.6.7, 0.6.8, 0.6.9, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.6, 0.7.7, 0.7.8, 0.7.9, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.8.6, 0.8.7, 0.8.8, 0.8.9, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.1.0, 1.1.2, 1.1.3, 1.1.7, 1.1.9, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.8, 1.2.9, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7, 1.4.9, 1.4.10, 1.5.0, 1.5.1, 1.5.2, 1.5.4, 1.6.0, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.6.8, 1.6.12, 1.6.13, 1.6.15, 1.6.17, 1.6.18, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.5, 1.7.6, 1.7.7, 1.7.8, 1.7.9, 1.7.10, 1.7.11, 1.7.12, 1.7.13, 1.7.14, 1.7.15, 1.7.16, 1.7.17, 1.7.18, 1.7.19, 1.7.20, 1.7.21, 1.7.22, 1.7.23, 1.8.0, 1.8.2, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.5, 1.9.6, 1.10.0, 1.10.2, 1.10.3, 1.11.0, 1.11.2, 1.11.3, 1.11.4, 1.11.5, 1.11.8, 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.12.4, 1.12.5, 1.12.7, 1.12.8, 1.12.9, 1.13.0, 1.13.2, 1.13.3, 1.13.4, 1.13.5, 1.13.6, 1.13.7, 1.13.8, 1.13.9, 1.13.10, 1.13.11, 1.13.12, 1.13.15, 1.14.0, 1.14.1, 1.14.2, 1.14.3, 1.14.4, 1.15.1, 1.15.2, 1.15.6, 1.16.0, 1.16.1, 1.16.2, 1.17.0, 1.17.1, 1.17.2, 1.17.3, 1.17.4, 1.17.6, 1.17.8, 1.17.9, 1.18.0, 1.18.1, 1.18.2, 1.18.3, 1.18.5, 1.18.6, 1.18.7, 1.19.0, 1.19.1, 1.20.0, 1.20.1, 1.21.0, 1.22.0, 1.23.0, 1.24.0, 1.24.1, 1.24.2, 1.25.0, 1.25.1, 1.25.2, 1.26.0, 1.26.1, 1.26.2, 1.26.3, 1.26.4, 1.26.5, 1.27.0, 1.27.1, 1.99.0, 1.99.1, 1.99.3, 1.99.4, 1.99.5, 1.99.6, 1.99.7, 1.99.8, 1.99.9, 1.99.10, 1.99.11, 2.0.0, 2.1.0, 2.1.2, 2.2.0, 2.2.1, 2.3.0, 2.4.0, 2.5.0, 2.6.0, 2.6.1, 2.7.0, 2.7.1, 2.7.2, 2.8.0, 2.8.1, 2.8.3, 2.9.0, 2.9.1, 2.10.0, 2.10.1, 2.10.2, 2.11.0, 2.11.1, 2.11.2, 2.11.4, 2.12.0, 2.13.0, 2.13.1, 2.13.2, 2.13.3, 2.13.4, 2.13.5, 2.13.6, 2.13.7, 2.13.8, 2.14.0, 2.15.0, 2.17.1, 2.18.0, 2.19.0, 2.19.1, 2.19.2, 2.19.4, 2.19.5, 2.20.0, 2.20.1, 2.20.2, 2.21.0, 2.21.1, 2.21.2, 2.21.3, 2.22.0, 2.22.1, 2.22.2, 2.23.0, 2.24.0, 2.24.1, 2.25.0, 2.25.1, 2.25.2, 2.25.3, 2.26.0, 2.27.0, 2.28.0, 2.30.0, 2.30.1, 2.31.0, 2.32.0, 2.33.0, 2.34.0, 2.35.0, 2.36.0, 2.37.0, 2.38.0, 2.39.0, 2.40.0, 2.41.1, 2.41.2, 2.42.0, 2.42.1, 2.42.2, 2.43.0, 2.44.0, 2.45.0, 2.45.1, 2.45.2, 2.50.0, 2.51.0, 2.51.1, 2.51.2, 2.52.0, 2.53.0, 2.54.0, 2.55.0, 2.55.1, 2.55.2, 2.56.0, 2.57.0, 2.58.0, 2.58.1, 2.58.2, 2.58.3, 2.59.0, 2.60.0, 2.60.1, 2.61.0, 2.62.0, 2.62.1, 2.62.2, 2.62.3, 2.62.4