CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45855
https://notcve.org/view.php?id=CVE-2024-45855
Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when using ‘finetune’ on it. • https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45854
https://notcve.org/view.php?id=CVE-2024-45854
Deserialization of untrusted data can occur in versions 23.10.3.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when a ‘describe’ query is run on it. • https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45853
https://notcve.org/view.php?id=CVE-2024-45853
Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when used for a prediction. • https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45852
https://notcve.org/view.php?id=CVE-2024-45852
Deserialization of untrusted data can occur in versions 23.3.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded model to run arbitrary code on the server when interacted with. • https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45846
https://notcve.org/view.php?id=CVE-2024-45846
An arbitrary code execution vulnerability exists in versions 23.10.3.0 up to 24.7.4.1 of the MindsDB platform, when the Weaviate integration is installed on the server. If a specially crafted ‘SELECT WHERE’ clause containing Python code is run against a database created with the Weaviate engine, the code will be passed to an eval function and executed on the server. • https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb • CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •