CVE-2024-45848

Name of the Vulnerable Software and Affected Versions MindsDB versions 23.12.4.0 through 24.7.4.1

Description An arbitrary code execution issue exists when the ChromaDB integration is installed on the server. If a specially crafted INSERT query containing Python code is run against a database created with the ChromaDB engine, the code will be passed to an eval function and executed on the server. This is due to incorrect management of code generation in the eval function of the MindsDB platform for data exchange automation between pipelines. Exploitation of this issue may allow a remote attacker to execute arbitrary code by injecting a specially crafted "INSERT" query.

Recommendations For MindsDB versions 23.12.4.0 through 24.7.4.1, update urgently to a version that contains a fix for this issue to stay secure. As a temporary workaround, consider disabling the ChromaDB integration until a patch is available. Restrict access to the eval function to minimize the risk of exploitation. Avoid using specially crafted INSERT queries in the affected API endpoint until the issue is resolved.