Headline

GHSA-9gq6-6936-885w: MindsDB Eval Injection vulnerability

An arbitrary code execution vulnerability exists in versions 23.12.4.0 up to 24.7.4.1 of the MindsDB platform, when the ChromaDB integration is installed on the server. If a specially crafted ‘INSERT’ query containing Python code is run against a database created with the ChromaDB engine, the code will be passed to an eval function and executed on the server.

1 month ago

ghsa

Open in Source

#vulnerability #auth #chrome

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

ghsa: Latest News

GHSA-hxf5-99xg-86hw: cap-std doesn't fully sandbox all the Windows device filenames

3 hours ago

ghsa

GHSA-c2f5-jxjv-2hh8: Wasmtime doesn't fully sandbox all the Windows device filenames

3 hours ago

ghsa

GHSA-4cf2-cxp3-rjr7: HAPI FHIR XML External Entity (XXE) vulnerability

7 hours ago

ghsa

GHSA-v2qh-f584-6hj8: @workos-inc/authkit-remix refresh tokens are logged when the debug flag is enabled

8 hours ago

ghsa

GHSA-5wmg-9cvh-qw25: @workos-inc/authkit-nextjs refresh tokens are logged when the debug flag is enabled

8 hours ago

ghsa