Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-49795: GitHub Security Lab (GHSL) Vulnerability Report GHSL-2023-182

MindsDB connects artificial intelligence models to real time data. Versions prior to 23.11.4.1 contain a server-side request forgery vulnerability in file.py. This can lead to limited information disclosure. Users should use MindsDB’s staging branch or v23.11.4.1, which contain a fix for the issue.

CVE
Open in Source
#vulnerability#git#intel#ssrf

Skip to content

    • Actions

      Automate any workflow

    • Packages

      Host and manage packages

    • Security

      Find and fix vulnerabilities

    • Codespaces

      Instant dev environments

    • Copilot

      Write better code with AI

    • Code review

      Manage code changes

    • Issues

      Plan and track work

    • Discussions

      Collaborate outside of code

    • GitHub Sponsors

      Fund open source developers

*   The ReadME Project
    
    GitHub community articles
  • Pricing

Search code, repositories, users, issues, pull requests…

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

Package

pip mindsdb (pip)

Affected versions

23.7.4.1

Patched versions

23.11.4.1

Description

Impact

Issue 1: SSRF in file.py (GHSL-2023-182)

Patches

Use mindsdb staging branch or v23.11.4.1

References

SSRF prevention cheatsheet.

Related news

GHSA-34mr-6q8x-g9r6: Server-Side Request Forgery in mindsdb

### Impact The put method in `mindsdb/mindsdb/api/http/namespaces/file.py` does not validate the user-controlled URL in the source variable and uses it to create arbitrary requests on line 115, which allows Server-side request forgery (SSRF). This issue may lead to Information Disclosure. The SSRF allows for forging arbitrary network requests from the MindsDB server. It can be used to scan nodes in internal networks for open ports that may not be accessible externally, as well as scan for existing files on the internal network. It allows for retrieving files with csv, xls, xlsx, json or parquet extensions, which will be viewable via MindsDB GUI. For any other existing files, it is a blind SSRF. ### Patches Use mindsdb staging branch or v23.11.4.1 ### References * GHSL-2023-182 [SSRF prevention cheatsheet](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html).

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE