CVE-2024-45846

Name of the Vulnerable Software and Affected Versions MindsDB versions 23.10.3.0 through 24.7.4.1

Description An arbitrary code execution issue exists when the Weaviate integration is installed on the server. If a specially crafted SELECT WHERE clause containing Python code is run against a database created with the Weaviate engine, the code will be passed to an eval function and executed on the server. This is due to incorrect management of code generation in the eval function of the MindsDB platform. Exploitation of this issue may allow a remote attacker to execute arbitrary code by injecting a specially formed query.

Recommendations For MindsDB versions 23.10.3.0 through 24.7.4.1, consider disabling the Weaviate integration until a patch is available. As a temporary workaround, restrict the use of SELECT WHERE clauses in databases created with the Weaviate engine to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.