CVE-2023-49796

Name of the Vulnerable Software and Affected Versions MindsDB versions prior to 23.11.4.1

Description MindsDB connects artificial intelligence models to real-time data. The issue is related to a limited file write vulnerability in the file.py module. This vulnerability may lead to arbitrary file write, allowing files to be written anywhere on the server that the filesystem permissions of the running server have access to. The put method in mindsdb/mindsdb/api/http/namespaces/file.py does not validate the user-controlled name value, which is used in a temporary file name and can lead to path injection.

Recommendations For versions prior to 23.11.4.1, use MindsDB's staging branch or update to version 23.11.4.1, which contains a fix for the issue. As a temporary workaround, consider restricting access to the file.py module until the issue is resolved. Avoid using the name variable in the affected API endpoint until the issue is resolved.