10 results (0.003 seconds)

CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0

Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when using ‘finetune’ on it. • https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb • CWE-502: Deserialization of Untrusted Data •

CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0

Deserialization of untrusted data can occur in versions 23.10.3.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when a ‘describe’ query is run on it. • https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb • CWE-502: Deserialization of Untrusted Data •

CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0

Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when used for a prediction. • https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb • CWE-502: Deserialization of Untrusted Data •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

Deserialization of untrusted data can occur in versions 23.3.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded model to run arbitrary code on the server when interacted with. • https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb • CWE-502: Deserialization of Untrusted Data •

CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 0

MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 23.12.4.2, a threat actor can bypass the server-side request forgery protection on the whole website with DNS Rebinding. The vulnerability can also lead to denial of service. Version 23.12.4.2 contains a patch. • https://github.com/mindsdb/mindsdb/commit/5f7496481bd3db1d06a2d2e62c0dce960a1fe12b https://github.com/mindsdb/mindsdb/security/advisories/GHSA-4jcv-vp96-94xr • CWE-918: Server-Side Request Forgery (SSRF) •