Home » Database

AVID-2026-R1299

Description

MindsDB Arbitrary File Write vulnerability (CVE-2023-49796)

Details

MindsDB connects artificial intelligence models to real time data. Versions prior to 23.11.4.1 contain a limited file write vulnerability in file.py Users should use MindsDB’s staging branch or v23.11.4.1, which contain a fix for the issue.

Reason for inclusion in AVID: CVE-2023-49796 describes an arbitrary file write vulnerability in MindsDB, an AI data/ML platform used to connect AI models to real-time data. This directly affects AI software stacks and deployment pipelines, making it a software supply-chain issue for general-purpose AI systems. The report provides explicit vulnerability details, affected version, impact, and a fix, meeting AVID criteria.

References

Affected or Relevant Artifacts

  • Developer: mindsdb
  • Deployer: mindsdb
  • Artifact Details:
TypeName
Systemmindsdb

Impact

AVID Taxonomy Categorization

  • Risk domains: Security
  • SEP subcategories: S0100: Software Vulnerability
  • Lifecycle stages: L06: Deployment

CVSS

Version3.1
Vector StringCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Base Score5.3
Base Severity🟠 Medium
Attack VectorNETWORK
Attack Complexity🟢 Low
Privileges RequiredNONE
User InteractionNONE
ScopeUNCHANGED
Confidentiality ImpactNONE
Integrity Impact🟢 Low
Availability ImpactNONE

CWE

IDDescription
CWE-20CWE-20: Improper Input Validation

Other information

  • Report Type: Advisory
  • Credits:
  • Date Reported: 2023-12-11
  • Version: 0.3.3
  • AVID Entry