CVE-2023-49795

Name of the Vulnerable Software and Affected Versions MindsDB versions prior to 23.11.4.1

Description MindsDB connects artificial intelligence models to real-time data. The issue is related to a server-side request forgery vulnerability in the file.py module. This can lead to limited information disclosure, allowing for the retrieval of files with specific extensions and potentially scanning internal networks for open ports or existing files. The vulnerability is due to the lack of validation of user-controlled URLs in the source variable, which can be used to create arbitrary requests.

Recommendations For versions prior to 23.11.4.1, use MindsDB's staging branch or update to version 23.11.4.1, which contains a fix for the issue. As a temporary workaround, consider restricting access to the file.py module or disabling the functionality that uses the source variable until a patch is applied.