Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1jcmhwLTdjNzQtY2c0Y84AA3q6

Improper Input Validation in mindsdb

Impact

The put method in mindsdb/mindsdb/api/http/namespaces/file.py does not validate the user-controlled name value, which is used in a temporary file name, which is afterwards opened for writing on lines 122-125, which leads to path injection. This issue may lead to arbitrary file write. This vulnerability allows for writing files anywhere on the server that the filesystem permissions that the running server has access to.

Patches

Use mindsdb staging branch or v23.11.4.1

References

GHSL-2023-184
See CodeQL path injection prevention guidelines and OWASP guidelines.

Permalink: https://github.com/advisories/GHSA-crhp-7c74-cg4c
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jcmhwLTdjNzQtY2c0Y84AA3q6
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 year ago
Updated: 29 days ago

CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS Percentage: 0.00063
EPSS Percentile: 0.29295

Identifiers: GHSA-crhp-7c74-cg4c, CVE-2023-49796
References:

Repository: https://github.com/mindsdb/mindsdb
Blast Radius: 9.9

Affected Packages

pypi:mindsdb

Dependent packages: 0
Dependent repositories: 75
Downloads: 14,609 last month
Affected Version Ranges: < 23.11.4.1
Fixed in: 23.11.4.1
All affected versions:
All unaffected versions: 0.6.5, 0.6.6, 0.6.7, 0.6.8, 0.6.9, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.6, 0.7.7, 0.7.8, 0.7.9, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.8.6, 0.8.7, 0.8.8, 0.8.9, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.1.0, 1.1.2, 1.1.3, 1.1.7, 1.1.9, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.8, 1.2.9, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7, 1.4.9, 1.4.10, 1.5.0, 1.5.1, 1.5.2, 1.5.4, 1.6.0, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.6.8, 1.6.12, 1.6.13, 1.6.15, 1.6.17, 1.6.18, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.5, 1.7.6, 1.7.7, 1.7.8, 1.7.9, 1.7.10, 1.7.11, 1.7.12, 1.7.13, 1.7.14, 1.7.15, 1.7.16, 1.7.17, 1.7.18, 1.7.19, 1.7.20, 1.7.21, 1.7.22, 1.7.23, 1.8.0, 1.8.2, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.5, 1.9.6, 1.10.0, 1.10.2, 1.10.3, 1.11.0, 1.11.2, 1.11.3, 1.11.4, 1.11.5, 1.11.8, 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.12.4, 1.12.5, 1.12.7, 1.12.8, 1.12.9, 1.13.0, 1.13.2, 1.13.3, 1.13.4, 1.13.5, 1.13.6, 1.13.7, 1.13.8, 1.13.9, 1.13.10, 1.13.11, 1.13.12, 1.13.15, 1.14.0, 1.14.1, 1.14.2, 1.14.3, 1.14.4, 1.15.1, 1.15.2, 1.15.6, 1.16.0, 1.16.1, 1.16.2, 1.17.0, 1.17.1, 1.17.2, 1.17.3, 1.17.4, 1.17.6, 1.17.8, 1.17.9, 1.18.0, 1.18.1, 1.18.2, 1.18.3, 1.18.5, 1.18.6, 1.18.7, 1.19.0, 1.19.1, 1.20.0, 1.20.1, 1.21.0, 1.22.0, 1.23.0, 1.24.0, 1.24.1, 1.24.2, 1.25.0, 1.25.1, 1.25.2, 1.26.0, 1.26.1, 1.26.2, 1.26.3, 1.26.4, 1.26.5, 1.27.0, 1.27.1, 1.99.0, 1.99.1, 1.99.3, 1.99.4, 1.99.5, 1.99.6, 1.99.7, 1.99.8, 1.99.9, 1.99.10, 1.99.11, 2.0.0, 2.1.0, 2.1.2, 2.2.0, 2.2.1, 2.3.0, 2.4.0, 2.5.0, 2.6.0, 2.6.1, 2.7.0, 2.7.1, 2.7.2, 2.8.0, 2.8.1, 2.8.3, 2.9.0, 2.9.1, 2.10.0, 2.10.1, 2.10.2, 2.11.0, 2.11.1, 2.11.2, 2.11.4, 2.12.0, 2.13.0, 2.13.1, 2.13.2, 2.13.3, 2.13.4, 2.13.5, 2.13.6, 2.13.7, 2.13.8, 2.14.0, 2.15.0, 2.17.1, 2.18.0, 2.19.0, 2.19.1, 2.19.2, 2.19.4, 2.19.5, 2.20.0, 2.20.1, 2.20.2, 2.21.0, 2.21.1, 2.21.2, 2.21.3, 2.22.0, 2.22.1, 2.22.2, 2.23.0, 2.24.0, 2.24.1, 2.25.0, 2.25.1, 2.25.2, 2.25.3, 2.26.0, 2.27.0, 2.28.0, 2.30.0, 2.30.1, 2.31.0, 2.32.0, 2.33.0, 2.34.0, 2.35.0, 2.36.0, 2.37.0, 2.38.0, 2.39.0, 2.40.0, 2.41.1, 2.41.2, 2.42.0, 2.42.1, 2.42.2, 2.43.0, 2.44.0, 2.45.0, 2.45.1, 2.45.2, 2.50.0, 2.51.0, 2.51.1, 2.51.2, 2.52.0, 2.53.0, 2.54.0, 2.55.0, 2.55.1, 2.55.2, 2.56.0, 2.57.0, 2.58.0, 2.58.1, 2.58.2, 2.58.3, 2.59.0, 2.60.0, 2.60.1, 2.61.0, 2.62.0, 2.62.1, 2.62.2, 2.62.3, 2.62.4