CVE-2024-45849

Name of the Vulnerable Software and Affected Versions MindsDB versions 23.10.5.0 through 24.7.4.1

Description An arbitrary code execution issue exists when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, a specially crafted 'INSERT' query can be used to execute Python code on the server. This is due to incorrect management of code generation, allowing a remote attacker to execute arbitrary code by injecting a specially formed query.

Recommendations For MindsDB versions 23.10.5.0 through 24.7.4.1, consider disabling the Microsoft SharePoint integration until a patch is available to prevent exploitation. As a temporary workaround, restrict the ability to run 'INSERT' queries against databases created with the SharePoint engine to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.