CVE-2024-45847

Name of the Vulnerable Software and Affected Versions MindsDB versions 23.11.4.2 through 24.7.4.1

Description An arbitrary code execution issue exists when one of several integrations is installed on the server. If a specially crafted UPDATE query containing Python code is run against a database created with the specified integration engine, the code will be passed to an eval function and executed on the server. This is related to incorrect management of code generation in the eval function of the MindsDB platform for data exchange automation between pipelines. Exploitation of this issue may allow a remote attacker to execute arbitrary code by injecting a specially crafted UPDATE query.

Recommendations For MindsDB versions 23.11.4.2 through 24.7.4.1, update to a patched version to secure the server. As a temporary workaround, consider restricting the use of the eval function or the integration engine until a patch is available. Avoid using the UPDATE query with Python code in the affected database until the issue is resolved.