Headline
CVE-2023-49796: GitHub Security Lab (GHSL) Vulnerability Report: GHSL-2023-184
MindsDB connects artificial intelligence models to real time data. Versions prior to 23.11.4.1 contain a limited file write vulnerability in file.py Users should use MindsDB’s staging branch or v23.11.4.1, which contain a fix for the issue.
Actions
Automate any workflow
Packages
Host and manage packages
Security
Find and fix vulnerabilities
Codespaces
Instant dev environments
Copilot
Write better code with AI
Code review
Manage code changes
Issues
Plan and track work
Discussions
Collaborate outside of code
GitHub Sponsors
Fund open source developers
* The ReadME Project
GitHub community articles
- Pricing
Search code, repositories, users, issues, pull requests…
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
Related news
### Impact The put method in `mindsdb/mindsdb/api/http/namespaces/file.py` does not validate the user-controlled `name` value, which is used in a temporary file name, which is afterwards opened for writing on lines 122-125, which leads to path injection. This issue may lead to arbitrary file write. This vulnerability allows for writing files anywhere on the server that the filesystem permissions that the running server has access to. ### Patches Use mindsdb staging branch or v23.11.4.1 ### References * GHSL-2023-184 * See [CodeQL path injection prevention guidelines](https://codeql.github.com/codeql-query-help/python/py-path-injection/) and [OWASP guidelines](https://owasp.org/www-community/attacks/Path_Traversal).