CVE-2024-45849

HIGH

Mindsdb < 24.7.4.1 - Code Injection

Title source: rule

Description

An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, an ‘INSERT’ query can be used for list creation. If such a query is specially crafted to contain Python code and is run against the database, the code will be passed to an eval function and executed on the server.

References (1)

[Exploit, Third Party Advisory] https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb/

Scores

CVSS v3 8.8

EPSS 0.0056

EPSS Percentile 68.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-95 CWE-94

Status published

Products (2)

mindsdb/mindsdb 23.10.5.0 - 24.7.4.1

pypi/mindsdb 23.10.5.0 - 24.7.4.1PyPI

Published Sep 12, 2024

Tracked Since Feb 18, 2026