cvelistv5 - CVE-2023-49796

CVE-2023-49796 (GCVE-0-2023-49796)

Vulnerability from cvelistv5

Published

2023-12-11 20:38

Modified

2024-08-02 22:01

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE

CWE-20 - Improper Input Validation

Summary

MindsDB connects artificial intelligence models to real time data. Versions prior to 23.11.4.1 contain a limited file write vulnerability in `file.py` Users should use MindsDB's `staging` branch or v23.11.4.1, which contain a fix for the issue.

References

URL

Tags

security-advisories@github.com	https://github.com/mindsdb/mindsdb/commit/8d13c9c28ebcf3b36509eb679378004d4648d8fe	Patch
security-advisories@github.com	https://github.com/mindsdb/mindsdb/security/advisories/GHSA-crhp-7c74-cg4c	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/mindsdb/mindsdb/commit/8d13c9c28ebcf3b36509eb679378004d4648d8fe	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/mindsdb/mindsdb/security/advisories/GHSA-crhp-7c74-cg4c	Vendor Advisory

Impacted products

	Vendor	Product	Version
	mindsdb	mindsdb	Version: < 23.11.4.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T22:01:26.096Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/mindsdb/mindsdb/security/advisories/GHSA-crhp-7c74-cg4c",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/mindsdb/mindsdb/security/advisories/GHSA-crhp-7c74-cg4c"
          },
          {
            "name": "https://github.com/mindsdb/mindsdb/commit/8d13c9c28ebcf3b36509eb679378004d4648d8fe",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/mindsdb/mindsdb/commit/8d13c9c28ebcf3b36509eb679378004d4648d8fe"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "mindsdb",
          "vendor": "mindsdb",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 23.11.4.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "MindsDB connects artificial intelligence models to real time data. Versions prior to 23.11.4.1 contain a limited file write vulnerability in `file.py` Users should use MindsDB\u0027s `staging` branch or v23.11.4.1, which contain a fix for the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20: Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-12-11T20:38:25.330Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/mindsdb/mindsdb/security/advisories/GHSA-crhp-7c74-cg4c",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/mindsdb/mindsdb/security/advisories/GHSA-crhp-7c74-cg4c"
        },
        {
          "name": "https://github.com/mindsdb/mindsdb/commit/8d13c9c28ebcf3b36509eb679378004d4648d8fe",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/mindsdb/mindsdb/commit/8d13c9c28ebcf3b36509eb679378004d4648d8fe"
        }
      ],
      "source": {
        "advisory": "GHSA-crhp-7c74-cg4c",
        "discovery": "UNKNOWN"
      },
      "title": "MindsDB Arbitrary File Write vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-49796",
    "datePublished": "2023-12-11T20:38:25.330Z",
    "dateReserved": "2023-11-30T13:39:50.863Z",
    "dateUpdated": "2024-08-02T22:01:26.096Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-49796\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-12-11T21:15:07.460\",\"lastModified\":\"2024-11-21T08:33:51.630\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"MindsDB connects artificial intelligence models to real time data. Versions prior to 23.11.4.1 contain a limited file write vulnerability in `file.py` Users should use MindsDB\u0027s `staging` branch or v23.11.4.1, which contain a fix for the issue.\"},{\"lang\":\"es\",\"value\":\"MindsDB conecta modelos de inteligencia artificial con datos en tiempo real. Las versiones anteriores a la 23.11.4.1 contienen una vulnerabilidad de escritura de archivos limitada en `file.py`. Los usuarios deben usar la rama `staging` de MindsDB o la versi\u00f3n 23.11.4.1, que contiene una soluci\u00f3n para el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mindsdb:mindsdb:23.7.4.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"478C2F27-9FCC-4206-A4F0-179EBBD92FD3\"}]}]}],\"references\":[{\"url\":\"https://github.com/mindsdb/mindsdb/commit/8d13c9c28ebcf3b36509eb679378004d4648d8fe\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/mindsdb/mindsdb/security/advisories/GHSA-crhp-7c74-cg4c\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/mindsdb/mindsdb/commit/8d13c9c28ebcf3b36509eb679378004d4648d8fe\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/mindsdb/mindsdb/security/advisories/GHSA-crhp-7c74-cg4c\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}

fkie_cve-2023-49796

Vulnerability from fkie_nvd

Published

2023-12-11 21:15

Modified

2024-11-21 08:33

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/mindsdb/mindsdb/commit/8d13c9c28ebcf3b36509eb679378004d4648d8fe	Patch
security-advisories@github.com	https://github.com/mindsdb/mindsdb/security/advisories/GHSA-crhp-7c74-cg4c	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/mindsdb/mindsdb/commit/8d13c9c28ebcf3b36509eb679378004d4648d8fe	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/mindsdb/mindsdb/security/advisories/GHSA-crhp-7c74-cg4c	Vendor Advisory

Impacted products

	Vendor	Product	Version
	mindsdb	mindsdb	23.7.4.1

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:mindsdb:mindsdb:23.7.4.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "478C2F27-9FCC-4206-A4F0-179EBBD92FD3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "MindsDB connects artificial intelligence models to real time data. Versions prior to 23.11.4.1 contain a limited file write vulnerability in `file.py` Users should use MindsDB\u0027s `staging` branch or v23.11.4.1, which contain a fix for the issue."
    },
    {
      "lang": "es",
      "value": "MindsDB conecta modelos de inteligencia artificial con datos en tiempo real. Las versiones anteriores a la 23.11.4.1 contienen una vulnerabilidad de escritura de archivos limitada en `file.py`. Los usuarios deben usar la rama `staging` de MindsDB o la versi\u00f3n 23.11.4.1, que contiene una soluci\u00f3n para el problema."
    }
  ],
  "id": "CVE-2023-49796",
  "lastModified": "2024-11-21T08:33:51.630",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-12-11T21:15:07.460",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/mindsdb/mindsdb/commit/8d13c9c28ebcf3b36509eb679378004d4648d8fe"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/mindsdb/mindsdb/security/advisories/GHSA-crhp-7c74-cg4c"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/mindsdb/mindsdb/commit/8d13c9c28ebcf3b36509eb679378004d4648d8fe"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/mindsdb/mindsdb/security/advisories/GHSA-crhp-7c74-cg4c"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

gsd-2023-49796

Vulnerability from gsd

Modified

2023-12-13 01:20

Details

Aliases

CVE-2023-49796

Aliases

CVE-2023-49796

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-49796",
    "id": "GSD-2023-49796"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-49796"
      ],
      "details": "MindsDB connects artificial intelligence models to real time data. Versions prior to 23.11.4.1 contain a limited file write vulnerability in `file.py` Users should use MindsDB\u0027s `staging` branch or v23.11.4.1, which contain a fix for the issue.",
      "id": "GSD-2023-49796",
      "modified": "2023-12-13T01:20:34.902396Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-49796",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "mindsdb",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 23.11.4.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "mindsdb"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "MindsDB connects artificial intelligence models to real time data. Versions prior to 23.11.4.1 contain a limited file write vulnerability in `file.py` Users should use MindsDB\u0027s `staging` branch or v23.11.4.1, which contain a fix for the issue."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-20",
                "lang": "eng",
                "value": "CWE-20: Improper Input Validation"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/mindsdb/mindsdb/security/advisories/GHSA-crhp-7c74-cg4c",
            "refsource": "MISC",
            "url": "https://github.com/mindsdb/mindsdb/security/advisories/GHSA-crhp-7c74-cg4c"
          },
          {
            "name": "https://github.com/mindsdb/mindsdb/commit/8d13c9c28ebcf3b36509eb679378004d4648d8fe",
            "refsource": "MISC",
            "url": "https://github.com/mindsdb/mindsdb/commit/8d13c9c28ebcf3b36509eb679378004d4648d8fe"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-crhp-7c74-cg4c",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:mindsdb:mindsdb:23.7.4.1:*:*:*:*:*:*:*",
                    "matchCriteriaId": "478C2F27-9FCC-4206-A4F0-179EBBD92FD3",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "MindsDB connects artificial intelligence models to real time data. Versions prior to 23.11.4.1 contain a limited file write vulnerability in `file.py` Users should use MindsDB\u0027s `staging` branch or v23.11.4.1, which contain a fix for the issue."
          },
          {
            "lang": "es",
            "value": "MindsDB conecta modelos de inteligencia artificial con datos en tiempo real. Las versiones anteriores a la 23.11.4.1 contienen una vulnerabilidad de escritura de archivos limitada en `file.py`. Los usuarios deben usar la rama `staging` de MindsDB o la versi\u00f3n 23.11.4.1, que contiene una soluci\u00f3n para el problema."
          }
        ],
        "id": "CVE-2023-49796",
        "lastModified": "2023-12-14T15:59:56.653",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 3.9,
              "impactScore": 1.4,
              "source": "nvd@nist.gov",
              "type": "Primary"
            },
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 3.9,
              "impactScore": 1.4,
              "source": "security-advisories@github.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2023-12-11T21:15:07.460",
        "references": [
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Patch"
            ],
            "url": "https://github.com/mindsdb/mindsdb/commit/8d13c9c28ebcf3b36509eb679378004d4648d8fe"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Vendor Advisory"
            ],
            "url": "https://github.com/mindsdb/mindsdb/security/advisories/GHSA-crhp-7c74-cg4c"
          }
        ],
        "sourceIdentifier": "security-advisories@github.com",
        "vulnStatus": "Analyzed",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "NVD-CWE-noinfo"
              }
            ],
            "source": "nvd@nist.gov",
            "type": "Primary"
          },
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-20"
              }
            ],
            "source": "security-advisories@github.com",
            "type": "Secondary"
          }
        ]
      }
    }
  }
}

ghsa-crhp-7c74-cg4c

Vulnerability from github

Published

2023-12-12 00:49

Modified

2024-11-22 18:14

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Summary

Improper Input Validation in mindsdb

Details

Impact

The put method in mindsdb/mindsdb/api/http/namespaces/file.py does not validate the user-controlled name value, which is used in a temporary file name, which is afterwards opened for writing on lines 122-125, which leads to path injection. This issue may lead to arbitrary file write. This vulnerability allows for writing files anywhere on the server that the filesystem permissions that the running server has access to.

Patches

Use mindsdb staging branch or v23.11.4.1

References

GHSL-2023-184
See CodeQL path injection prevention guidelines and OWASP guidelines.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "mindsdb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "23.11.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-49796"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-12T00:49:00Z",
    "nvd_published_at": "2023-12-11T21:15:07Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nThe put method in `mindsdb/mindsdb/api/http/namespaces/file.py` does not validate the user-controlled `name` value, which is used in a temporary file name, which is afterwards opened for writing on lines 122-125, which leads to path injection. This issue may lead to arbitrary file write. This vulnerability allows for writing files anywhere on the server that the filesystem permissions that the running server has access to.\n\n### Patches\n\nUse mindsdb staging branch or v23.11.4.1\n\n\n### References\n\n* GHSL-2023-184 \n* See [CodeQL path injection prevention guidelines](https://codeql.github.com/codeql-query-help/python/py-path-injection/) and [OWASP guidelines](https://owasp.org/www-community/attacks/Path_Traversal).\n",
  "id": "GHSA-crhp-7c74-cg4c",
  "modified": "2024-11-22T18:14:16Z",
  "published": "2023-12-12T00:49:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mindsdb/mindsdb/security/advisories/GHSA-crhp-7c74-cg4c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49796"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mindsdb/mindsdb/commit/8d13c9c28ebcf3b36509eb679378004d4648d8fe"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mindsdb/mindsdb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mindsdb/mindsdb/blob/1821da719f34c022890c9ff25810218e71c5abbc/mindsdb/api/http/namespaces/file.py#L122-L125"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/mindsdb/PYSEC-2023-278.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Input Validation in mindsdb"
}

pysec-2023-278

Vulnerability from pysec

Published

2023-12-11 21:15

Modified

2025-10-27 07:48

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Details

MindsDB connects artificial intelligence models to real time data. Versions prior to 23.11.4.1 contain a limited file write vulnerability in file.py Users should use MindsDB's staging branch or v23.11.4.1, which contain a fix for the issue.

Impacted products

Name	purl
mindsdb	pkg:pypi/mindsdb

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "mindsdb",
        "purl": "pkg:pypi/mindsdb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8d13c9c28ebcf3b36509eb679378004d4648d8fe"
            }
          ],
          "repo": "https://github.com/mindsdb/mindsdb",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.6.5",
        "0.6.6",
        "0.6.7",
        "0.6.8",
        "0.6.9",
        "0.7.0",
        "0.7.1",
        "0.7.2",
        "0.7.3",
        "0.7.4",
        "0.7.5",
        "0.7.6",
        "0.7.7",
        "0.7.8",
        "0.7.9",
        "0.8.0",
        "0.8.1",
        "0.8.2",
        "0.8.3",
        "0.8.4",
        "0.8.5",
        "0.8.6",
        "0.8.7",
        "0.8.8",
        "0.8.9",
        "0.8.9.1",
        "0.8.9.2",
        "0.8.9.3",
        "0.8.9.4",
        "0.8.9.5",
        "0.8.9.6",
        "0.8.9.7",
        "0.8.9.8",
        "0.9.0.0",
        "0.9.0.1",
        "0.9.1.0",
        "0.9.2.0",
        "1.0",
        "1.0.1",
        "1.0.2",
        "1.0.3",
        "1.0.4",
        "1.0.5",
        "1.0.6",
        "1.0.7",
        "1.0.8",
        "1.0.9",
        "1.1.0",
        "1.1.2",
        "1.1.3",
        "1.1.7",
        "1.1.9",
        "1.10.0",
        "1.10.2",
        "1.10.3",
        "1.11.0",
        "1.11.2",
        "1.11.3",
        "1.11.4",
        "1.11.5",
        "1.11.8",
        "1.12.0",
        "1.12.1",
        "1.12.2",
        "1.12.3",
        "1.12.4",
        "1.12.5",
        "1.12.7",
        "1.12.8",
        "1.12.9",
        "1.13.0",
        "1.13.10",
        "1.13.11",
        "1.13.12",
        "1.13.15",
        "1.13.2",
        "1.13.3",
        "1.13.4",
        "1.13.5",
        "1.13.6",
        "1.13.7",
        "1.13.8",
        "1.13.9",
        "1.14.0",
        "1.14.1",
        "1.14.2",
        "1.14.3",
        "1.14.4",
        "1.15.1",
        "1.15.2",
        "1.15.6",
        "1.16.0",
        "1.16.1",
        "1.16.2",
        "1.17.0",
        "1.17.1",
        "1.17.2",
        "1.17.3",
        "1.17.4",
        "1.17.6",
        "1.17.8",
        "1.17.9",
        "1.18.0",
        "1.18.1",
        "1.18.2",
        "1.18.3",
        "1.18.5",
        "1.18.6",
        "1.18.7",
        "1.19.0",
        "1.19.1",
        "1.2.0",
        "1.2.1",
        "1.2.2",
        "1.2.3",
        "1.2.4",
        "1.2.5",
        "1.2.6",
        "1.2.8",
        "1.2.9",
        "1.20.0",
        "1.20.1",
        "1.21.0",
        "1.22.0",
        "1.23.0",
        "1.24.0",
        "1.24.1",
        "1.24.2",
        "1.25.0",
        "1.25.1",
        "1.25.2",
        "1.26.0",
        "1.26.1",
        "1.26.2",
        "1.26.3",
        "1.26.4",
        "1.26.5",
        "1.27.0",
        "1.27.1",
        "1.3.1",
        "1.3.2",
        "1.3.3",
        "1.3.4",
        "1.3.5",
        "1.3.6",
        "1.3.7",
        "1.4.0",
        "1.4.1",
        "1.4.10",
        "1.4.2",
        "1.4.3",
        "1.4.4",
        "1.4.5",
        "1.4.6",
        "1.4.7",
        "1.4.9",
        "1.5.0",
        "1.5.1",
        "1.5.2",
        "1.5.4",
        "1.6.0",
        "1.6.12",
        "1.6.13",
        "1.6.15",
        "1.6.17",
        "1.6.18",
        "1.6.3",
        "1.6.4",
        "1.6.5",
        "1.6.6",
        "1.6.7",
        "1.6.8",
        "1.7.0",
        "1.7.1",
        "1.7.10",
        "1.7.11",
        "1.7.12",
        "1.7.13",
        "1.7.14",
        "1.7.15",
        "1.7.16",
        "1.7.17",
        "1.7.18",
        "1.7.19",
        "1.7.2",
        "1.7.20",
        "1.7.21",
        "1.7.22",
        "1.7.23",
        "1.7.3",
        "1.7.5",
        "1.7.6",
        "1.7.7",
        "1.7.8",
        "1.7.9",
        "1.8.0",
        "1.8.2",
        "1.9.0",
        "1.9.1",
        "1.9.2",
        "1.9.3",
        "1.9.5",
        "1.9.6",
        "1.99.0",
        "1.99.1",
        "1.99.10",
        "1.99.11",
        "1.99.3",
        "1.99.4",
        "1.99.5",
        "1.99.6",
        "1.99.7",
        "1.99.8",
        "1.99.9",
        "2.0.0",
        "2.1.0",
        "2.1.2",
        "2.10.0",
        "2.10.1",
        "2.10.2",
        "2.11.0",
        "2.11.1",
        "2.11.2",
        "2.11.4",
        "2.12.0",
        "2.13.0",
        "2.13.1",
        "2.13.2",
        "2.13.3",
        "2.13.4",
        "2.13.5",
        "2.13.6",
        "2.13.7",
        "2.13.8",
        "2.14.0",
        "2.15.0",
        "2.17.1",
        "2.18.0",
        "2.19.0",
        "2.19.1",
        "2.19.2",
        "2.19.4",
        "2.19.5",
        "2.2.0",
        "2.2.1",
        "2.20.0",
        "2.20.1",
        "2.20.2",
        "2.21.0",
        "2.21.1",
        "2.21.2",
        "2.21.3",
        "2.22.0",
        "2.22.1",
        "2.22.2",
        "2.23.0",
        "2.24.0",
        "2.24.1",
        "2.25.0",
        "2.25.1",
        "2.25.2",
        "2.25.3",
        "2.26.0",
        "2.27.0",
        "2.28.0",
        "2.3.0",
        "2.30.0",
        "2.30.1",
        "2.31.0",
        "2.32.0",
        "2.33.0",
        "2.34.0",
        "2.35.0",
        "2.36.0",
        "2.37.0",
        "2.38.0",
        "2.39.0",
        "2.4.0",
        "2.40.0",
        "2.41.1",
        "2.41.2",
        "2.42.0",
        "2.42.1",
        "2.42.2",
        "2.43.0",
        "2.44.0",
        "2.45.0",
        "2.45.1",
        "2.45.2",
        "2.5.0",
        "2.50.0",
        "2.51.0",
        "2.51.1",
        "2.51.2",
        "2.52.0",
        "2.53.0",
        "2.54.0",
        "2.55.0",
        "2.55.1",
        "2.55.2",
        "2.56.0",
        "2.57.0",
        "2.58.0",
        "2.58.1",
        "2.58.2",
        "2.58.3",
        "2.59.0",
        "2.6.0",
        "2.6.1",
        "2.60.0",
        "2.60.1",
        "2.61.0",
        "2.62.0",
        "2.62.1",
        "2.62.2",
        "2.62.3",
        "2.62.4",
        "2.7.0",
        "2.7.1",
        "2.7.2",
        "2.8.0",
        "2.8.1",
        "2.8.3",
        "2.9.0",
        "2.9.1",
        "22.1.4.0",
        "22.1.4.1",
        "22.10.2.0",
        "22.10.2.1",
        "22.11.3.0",
        "22.11.3.2",
        "22.11.4.0",
        "22.11.4.1",
        "22.11.4.2",
        "22.11.4.3",
        "22.12.4.0",
        "22.12.4.2",
        "22.12.4.3",
        "22.2.1.0",
        "22.2.1.2",
        "22.2.2.0",
        "22.2.2.1",
        "22.2.4.0",
        "22.2.4.1",
        "22.3.1.0",
        "22.3.3.0",
        "22.3.4.0",
        "22.3.4.1",
        "22.3.4.2",
        "22.3.4.3",
        "22.3.5.0",
        "22.4.2.0",
        "22.4.2.1",
        "22.4.2.2",
        "22.4.3.0",
        "22.4.5.0",
        "22.5.1.0",
        "22.5.1.1",
        "22.5.1.2",
        "22.5.2.0",
        "22.5.4.0",
        "22.6.1.0",
        "22.6.1.1",
        "22.6.1.2",
        "22.6.2.0",
        "22.6.2.1",
        "22.6.2.2",
        "22.7.3.0",
        "22.7.3.1",
        "22.7.3.2",
        "22.7.3.3",
        "22.7.3.4",
        "22.7.4.0",
        "22.7.4.1",
        "22.7.5.0",
        "22.7.5.1",
        "22.8.2.0",
        "22.8.2.1",
        "22.8.3.0",
        "22.8.3.1",
        "22.8.4.0",
        "22.8.4.1",
        "22.8.5.0",
        "22.9.3.0",
        "22.9.3.1",
        "22.9.4.0",
        "22.9.5.1",
        "22.9.5.2",
        "22.9.5.3",
        "22.9.5.4",
        "23.1.3.0",
        "23.1.3.1",
        "23.1.3.2",
        "23.1.5.0",
        "23.10.2.0",
        "23.10.3.0",
        "23.10.3.1",
        "23.10.5.0",
        "23.11.1.0",
        "23.11.4.0",
        "23.11.4.1",
        "23.11.4.4a6",
        "23.12.4.0",
        "23.12.4.1",
        "23.12.4.2",
        "23.2.1.0",
        "23.2.2.1",
        "23.2.3.0",
        "23.2.3.1",
        "23.2.4.0",
        "23.2.4.1",
        "23.2.4.2",
        "23.2.4.3",
        "23.3.2.0",
        "23.3.3.0",
        "23.3.3.1",
        "23.3.3.2",
        "23.3.3.3",
        "23.3.3.4",
        "23.3.3.5",
        "23.3.4.0",
        "23.3.5.0",
        "23.4.3.0",
        "23.4.3.1",
        "23.4.3.2",
        "23.4.4.0",
        "23.4.4.1",
        "23.4.4.2",
        "23.4.4.3",
        "23.4.4.4",
        "23.5.3.1",
        "23.5.3.2",
        "23.5.4.1",
        "23.6.1.1",
        "23.6.2.0",
        "23.6.3.0",
        "23.6.3.1",
        "23.6.4.0",
        "23.6.5.0",
        "23.6.5.1",
        "23.7.1.0",
        "23.7.2.0",
        "23.7.3.1",
        "23.7.4.0",
        "23.7.4.1",
        "23.8.1.0",
        "23.8.3.0",
        "23.9.1.0",
        "23.9.1.1",
        "23.9.2.0",
        "23.9.2.1",
        "23.9.3.0",
        "23.9.3.1",
        "24.1.4.0",
        "24.10.1.0",
        "24.10.2.0",
        "24.10.3.0",
        "24.10.4.0",
        "24.10.4.1",
        "24.10.4.2",
        "24.10.5.0",
        "24.11.1.0",
        "24.11.1.1",
        "24.11.2.0",
        "24.11.3.0",
        "24.2.3.0",
        "24.3.4.0",
        "24.3.4.1",
        "24.3.4.2",
        "24.3.5.0",
        "24.4.2.0",
        "24.4.2.1",
        "24.4.3.0",
        "24.5.4.0",
        "24.6.1.0",
        "24.6.1.1",
        "24.6.2.0",
        "24.6.2.2",
        "24.6.3.0",
        "24.6.3.1",
        "24.6.4.1",
        "24.7.1.0",
        "24.7.2.0",
        "24.7.3.0",
        "24.7.4.0",
        "24.7.4.1",
        "24.7.5.0",
        "24.8.1.0",
        "24.8.1.1",
        "24.8.2.0",
        "24.8.3.0",
        "24.8.4.0",
        "24.9.1.0",
        "24.9.2.0",
        "24.9.2.1",
        "24.9.3.0",
        "24.9.3.1",
        "24.9.3.2",
        "24.9.4.0",
        "24.9.4.1",
        "24.11.4.0",
        "24.11.4.1",
        "24.11.4.2",
        "24.12.1.0",
        "24.12.2.0",
        "24.12.2.1",
        "24.12.3.0",
        "24.12.2.2",
        "24.12.4.0",
        "25.1.2.0",
        "25.1.2.1",
        "25.1.3.0",
        "25.1.4.0",
        "25.1.5.0",
        "25.1.5.1",
        "25.1.5.2",
        "25.1.5.3",
        "25.2.1.0",
        "25.2.1.2",
        "25.2.2.0",
        "25.2.2.1",
        "25.2.2.2",
        "25.2.3.0",
        "25.2.4.0",
        "25.3.1.0",
        "25.3.2.0",
        "25.3.3.0",
        "25.3.4.0",
        "25.3.4.1",
        "25.3.4.2",
        "25.4.1.0",
        "25.4.2.0",
        "25.4.2.1",
        "25.4.3.0",
        "25.4.3.1",
        "25.4.3.2",
        "25.4.4.0",
        "25.4.5.0",
        "25.5.3.0",
        "25.5.4.0",
        "25.5.4.1",
        "25.5.4.2",
        "25.6.2.0",
        "25.6.3.0",
        "25.6.3.1",
        "25.6.4.0",
        "25.7.1.0",
        "25.7.2.0",
        "25.7.3.0",
        "25.7.4.0",
        "25.8.2.0",
        "25.8.3.0",
        "25.9.1.0",
        "25.9.1.1",
        "25.9.1.2",
        "25.9.2.0a1",
        "25.9.3rc1",
        "25.10.0rc1",
        "25.10.0",
        "25.10.1"
      ]
    }
  ],
  "aliases": [
    "CVE-2023-49796",
    "GHSA-crhp-7c74-cg4c"
  ],
  "details": "MindsDB connects artificial intelligence models to real time data. Versions prior to 23.11.4.1 contain a limited file write vulnerability in `file.py` Users should use MindsDB\u0027s `staging` branch or v23.11.4.1, which contain a fix for the issue.",
  "id": "PYSEC-2023-278",
  "modified": "2025-10-27T07:48:17.326672Z",
  "published": "2023-12-11T21:15:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/mindsdb/mindsdb/security/advisories/GHSA-crhp-7c74-cg4c"
    },
    {
      "type": "FIX",
      "url": "https://github.com/mindsdb/mindsdb/commit/8d13c9c28ebcf3b36509eb679378004d4648d8fe"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "withdrawn": "2024-11-22T04:37:04Z"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2023-49796 (GCVE-0-2023-49796)

Vulnerability from cvelistv5

fkie_cve-2023-49796

Vulnerability from fkie_nvd

gsd-2023-49796

Vulnerability from gsd

ghsa-crhp-7c74-cg4c

Vulnerability from github

Impact

Patches

References

pysec-2023-278

Vulnerability from pysec

Tags

Sightings

Nomenclature