CVE-2024-45851

Name of the Vulnerable Software and Affected Versions MindsDB versions 23.10.5.0 through 24.7.4.1

Description An arbitrary code execution issue exists when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, a specially crafted 'INSERT' query can be used to execute Python code on the server. This occurs because the code is passed to an eval function. The issue is related to incorrect code generation management in the eval function of the MindsDB platform.

Recommendations For versions 23.10.5.0 through 24.7.4.1, consider disabling the Microsoft SharePoint integration until a patch is available to prevent exploitation. As a temporary workaround, restrict the use of 'INSERT' queries against databases created with the SharePoint engine to minimize the risk of arbitrary code execution. Avoid using specially crafted queries that may contain Python code. At the moment, there is no information about a newer version that contains a fix for this issue.