CVE-2024-45850

Name of the Vulnerable Software and Affected Versions MindsDB versions 23.10.5.0 through 24.7.4.1

Description An arbitrary code execution issue exists when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, a specially crafted INSERT query containing Python code can be used to execute code on the server. This occurs because the code is passed to an eval function. The vulnerability is related to incorrect code generation management in the eval function of the MindsDB platform, allowing a remote attacker to execute arbitrary code by injecting a specially crafted INSERT query.

Recommendations For MindsDB versions 23.10.5.0 through 24.7.4.1, consider disabling the Microsoft SharePoint integration until a patch is available to prevent exploitation. As a temporary workaround, restrict the use of INSERT queries against databases created with the SharePoint engine to minimize the risk of arbitrary code execution. Avoid using the eval function in the MindsDB platform until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.