CVE-2023-50731

Name of the Vulnerable Software and Affected Versions MindsDB versions prior to 23.11.4.1

Description The issue concerns a path injection vulnerability in the put method of mindsdb/mindsdb/api/http/namespaces/file.py. This vulnerability allows arbitrary file contents to be written due to the lack of validation of the user-controlled name value used in a temporary file name. The temporary directory is deleted, but the potentially dangerous file remains due to the path injection. Additionally, there is another path injection sink that allows an attacker to delete any zip or tar.gz files on the server. The check for specific file types (csv, json, parquet, xls, or xlsx) occurs after the file has been written, resulting in the file remaining on the server, even though an error is returned.

Recommendations For MindsDB versions prior to 23.11.4.1, use the mindsdb staging branch or update to version 23.11.4.1 to resolve the issue. As a temporary workaround, consider restricting access to the put method in mindsdb/mindsdb/api/http/namespaces/file.py to minimize the risk of exploitation. Avoid using the name value in the affected API endpoint until the issue is resolved.