We use cookies to improve your experience on our site.
AVID-2026-R1535
Description
Vulnerability CVE-2024-45851
Details
An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, an ‘INSERT’ query can be used for list item creation. If such a query is specially crafted to contain Python code and is run against the database, the code will be passed to an eval function and executed on the server.
Reason for inclusion in AVID: CVE-2024-45851 describes an arbitrary code execution vulnerability in the MindsDB platform, triggered by crafted data via an INSERT query that executes Python code on the server. MindsDB is an AI/ML platform used to build and serve models, and the vulnerability affects the AI software stack, including deployment and runtime components. This constitutes a software supply chain vulnerability within AI system pipelines (model serving/AI data processing components) and poses a direct security risk (RCE).
References
Affected or Relevant Artifacts
- Developer: mindsdb
- Deployer: mindsdb
- Artifact Details:
| Type | Name |
|---|---|
| System | mindsdb |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.1 |
| Vector String | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Base Score | 8.8 |
| Base Severity | 🔴 High |
| Attack Vector | NETWORK |
| Attack Complexity | 🟢 Low |
| Privileges Required | 🟢 Low |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | 🔴 High |
| Integrity Impact | 🔴 High |
| Availability Impact | 🔴 High |
CWE
| ID | Description |
|---|---|
| CWE-95 | CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’) |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2024-09-12
- Version: 0.3.3
- AVID Entry