We use cookies to improve your experience on our site.
AVID-2026-R1439
Description
MindsDB Vulnerable to Bypass of SSRF Protection with DNS Rebinding (CVE-2024-24759)
Details
MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 23.12.4.2, a threat actor can bypass the server-side request forgery protection on the whole website with DNS Rebinding. The vulnerability can also lead to denial of service. Version 23.12.4.2 contains a patch.
Reason for inclusion in AVID: The CVE describes a vulnerability in MindsDB, an AI platform used to build/deploy AI solutions. It is a software vulnerability in a component integral to AI workflows (AI model training/deployment stack) with potential SSRF-related security impact. This is relevant to the software supply chain of general-purpose AI systems (not hardware/firmware-only). The report provides explicit vulnerability details, impact, and a patched version, giving sufficient evidence for curation.
References
- NVD entry
- https://github.com/mindsdb/mindsdb/security/advisories/GHSA-4jcv-vp96-94xr
- https://github.com/mindsdb/mindsdb/commit/5f7496481bd3db1d06a2d2e62c0dce960a1fe12b
Affected or Relevant Artifacts
- Developer: mindsdb
- Deployer: mindsdb
- Artifact Details:
| Type | Name |
|---|---|
| System | mindsdb |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.1 |
| Vector String | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L |
| Base Score | 9.3 |
| Base Severity | 🔴 Critical |
| Attack Vector | NETWORK |
| Attack Complexity | 🟢 Low |
| Privileges Required | NONE |
| User Interaction | NONE |
| Scope | CHANGED |
| Confidentiality Impact | 🔴 High |
| Integrity Impact | NONE |
| Availability Impact | 🟢 Low |
CWE
| ID | Description |
|---|---|
| CWE-918 | CWE-918: Server-Side Request Forgery (SSRF) |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2024-09-05
- Version: 0.3.3
- AVID Entry