CVE-2024-45854

CVSS 3.1 Score 7.5 of 10 (high)

Details

Published Sep 12, 2024
Updated: Sep 16, 2024
CWE ID 502

Summary

CVE-2024-45854 identifies a vulnerability in versions 23.10.3.0 and newer of the MindsDB platform, where deserialization of untrusted data can allow an attacker to upload a malicious ‘inhouse’ model that executes arbitrary code on the server during a ‘describe’ query. Affected products include various iterations of MindsDB, denoted by IDs such as yZDbPt, yZDbPs, and uCRMb0 among others. The potential risk involves significant impacts on integrity, confidentiality, and availability with a high exploitability score of 1.6 and a base severity rating of 7.5 according to CVSS version 3.1. To mitigate this vulnerability, organizations should upgrade to a patched version of the MindsDB platform that addresses this issue immediately. Without remediation, the vulnerability could lead to unauthorized access and control over server operations, posing serious security threats to affected organizations.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share