CVE-2023-30620

Name of the Vulnerable Software and Affected Versions mindsdb versions prior to 23.2.1.0

Description The issue is related to an unsafe extraction performed using tarfile.extractall() from a remotely retrieved tarball, which may lead to the writing of extracted files to an unintended location. This is sometimes referred to as a TarSlip or a ZipSlip variant. An attacker may leverage this to overwrite any local file that the server process has access to. There is no risk of file exposure with this vulnerability.

API Endpoints: /<name>

Vulnerable Parameters or Variables: name, file, original file name, source

Function Names: put(), extractall()

The vulnerability can be exploited by crafting a malicious tarball with a filename path, such as ../../../../../../../../etc/passwd, and then serving the archive remotely, proceeding to the PUT request of the tarball through mindsdb, and overwriting the system files of the hosting server.

Recommendations For versions prior to 23.2.1.0, upgrade to release 23.2.1.0 to address the issue. As a temporary workaround, consider validating the location or the absolute path of the extracted files and discard those with malicious paths such as relative path ../../.. or absolute path such as /etc/password. A simple wrapper could be written to raise an exception when a path traversal may be identified. Restrict access to the tarfile.extractall() function until a patch is available. Avoid using the tarfile module for extracting archives from untrusted sources without prior inspection.