Headline
GHSA-crhp-7c74-cg4c: Improper Input Validation in mindsdb
Impact
The put method in mindsdb/mindsdb/api/http/namespaces/file.py does not validate the user-controlled name value, which is used in a temporary file name, which is afterwards opened for writing on lines 122-125, which leads to path injection. This issue may lead to arbitrary file write. This vulnerability allows for writing files anywhere on the server that the filesystem permissions that the running server has access to.
Patches
Use mindsdb staging branch or v23.11.4.1
References
- GHSL-2023-184
- See CodeQL path injection prevention guidelines and OWASP guidelines.
Package
pip mindsdb (pip)
Affected versions
< 23.11.4.1
Patched versions
23.11.4.1
Description
Impact
The put method in mindsdb/mindsdb/api/http/namespaces/file.py does not validate the user-controlled name value, which is used in a temporary file name, which is afterwards opened for writing on lines 122-125, which leads to path injection. This issue may lead to arbitrary file write. This vulnerability allows for writing files anywhere on the server that the filesystem permissions that the running server has access to.
Patches
Use mindsdb staging branch or v23.11.4.1
References
- GHSL-2023-184
- See CodeQL path injection prevention guidelines and OWASP guidelines.
References
- GHSA-crhp-7c74-cg4c
- https://nvd.nist.gov/vuln/detail/CVE-2023-49796
- mindsdb/mindsdb@8d13c9c
- https://github.com/mindsdb/mindsdb/blob/1821da719f34c022890c9ff25810218e71c5abbc/mindsdb/api/http/namespaces/file.py#L122-L125
ZoranPandovski published to mindsdb/mindsdb
Dec 11, 2023
Published by the National Vulnerability Database
Dec 11, 2023
Published to the GitHub Advisory Database
Dec 12, 2023
Reviewed
Dec 12, 2023
Last updated
Dec 12, 2023
Related news
MindsDB connects artificial intelligence models to real time data. Versions prior to 23.11.4.1 contain a limited file write vulnerability in `file.py` Users should use MindsDB's `staging` branch or v23.11.4.1, which contain a fix for the issue.