CVE-2024-45855

Name of the Vulnerable Software and Affected Versions: MindsDB versions 23.10.2.0 and newer

Description: The issue concerns the deserialization of untrusted data in the MindsDB platform. This allows a maliciously uploaded 'inhouse' model to run arbitrary code on the server when using 'finetune' on it. The vulnerability is remotely exploitable.

Recommendations: For MindsDB versions 23.10.2.0 and newer, consider disabling the 'finetune' functionality for 'inhouse' models until a patch is available to prevent arbitrary code execution. Restrict the upload of 'inhouse' models to trusted sources to minimize the risk of exploitation. As a temporary workaround, review and enhance the security posture of the MindsDB platform to prevent deserialization of untrusted data.