GHSA-crhp-7c74-cg4c
Suggest an improvement- Source
- https://github.com/advisories/GHSA-crhp-7c74-cg4c
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-crhp-7c74-cg4c/GHSA-crhp-7c74-cg4c.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-crhp-7c74-cg4c
- Aliases
- Related
- Published
- 2023-12-12T00:49:00Z
- Modified
- 2024-11-22T18:39:38.599570Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- Improper Input Validation in mindsdb
- Details
-
Impact
The put method in
mindsdb/mindsdb/api/http/namespaces/file.pydoes not validate the user-controllednamevalue, which is used in a temporary file name, which is afterwards opened for writing on lines 122-125, which leads to path injection. This issue may lead to arbitrary file write. This vulnerability allows for writing files anywhere on the server that the filesystem permissions that the running server has access to.Patches
Use mindsdb staging branch or v23.11.4.1
References
- GHSL-2023-184
- See CodeQL path injection prevention guidelines and OWASP guidelines.
- Database specific
{ "nvd_published_at": "2023-12-11T21:15:07Z", "cwe_ids": [ "CWE-20" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2023-12-12T00:49:00Z" }- References
-
- https://github.com/mindsdb/mindsdb/security/advisories/GHSA-crhp-7c74-cg4c
- https://nvd.nist.gov/vuln/detail/CVE-2023-49796
- https://github.com/mindsdb/mindsdb/commit/8d13c9c28ebcf3b36509eb679378004d4648d8fe
- https://github.com/mindsdb/mindsdb
- https://github.com/mindsdb/mindsdb/blob/1821da719f34c022890c9ff25810218e71c5abbc/mindsdb/api/http/namespaces/file.py#L122-L125
- https://github.com/pypa/advisory-database/tree/main/vulns/mindsdb/PYSEC-2023-278.yaml
Affected packages
PyPI / mindsdb
Package
- Name
- mindsdb
- View open source insights on deps.dev
- Purl
- pkg:pypi/mindsdb
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed23.11.4.1
Affected versions
0.*
0.6.5
0.6.6
0.6.7
0.6.8
0.6.9
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
0.7.5
0.7.6
0.7.7
0.7.8
0.7.9
0.8.0
0.8.1
0.8.2
0.8.3
0.8.4
0.8.5
0.8.6
0.8.7
0.8.8
0.8.9
0.8.9.1
0.8.9.2
0.8.9.3
0.8.9.4
0.8.9.5
0.8.9.6
0.8.9.7
0.8.9.8
0.9.0.0
0.9.0.1
0.9.1.0
0.9.2.0
1.*
1.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9
1.1.0
1.1.2
1.1.3
1.1.7
1.1.9
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.8
1.2.9
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.4.7
1.4.9
1.4.10
1.5.0
1.5.1
1.5.2
1.5.4
1.6.0
1.6.3
1.6.4
1.6.5
1.6.6
1.6.7
1.6.8
1.6.12
1.6.13
1.6.15
1.6.17
1.6.18
1.7.0
1.7.1
1.7.2
1.7.3
1.7.5
1.7.6
1.7.7
1.7.8
1.7.9
1.7.10
1.7.11
1.7.12
1.7.13
1.7.14
1.7.15
1.7.16
1.7.17
1.7.18
1.7.19
1.7.20
1.7.21
1.7.22
1.7.23
1.8.0
1.8.2
1.9.0
1.9.1
1.9.2
1.9.3
1.9.5
1.9.6
1.10.0
1.10.2
1.10.3
1.11.0
1.11.2
1.11.3
1.11.4
1.11.5
1.11.8
1.12.0
1.12.1
1.12.2
1.12.3
1.12.4
1.12.5
1.12.7
1.12.8
1.12.9
1.13.0
1.13.2
1.13.3
1.13.4
1.13.5
1.13.6
1.13.7
1.13.8
1.13.9
1.13.10
1.13.11
1.13.12
1.13.15
1.14.0
1.14.1
1.14.2
1.14.3
1.14.4
1.15.1
1.15.2
1.15.6
1.16.0
1.16.1
1.16.2
1.17.0
1.17.1
1.17.2
1.17.3
1.17.4
1.17.6
1.17.8
1.17.9
1.18.0
1.18.1
1.18.2
1.18.3
1.18.5
1.18.6
1.18.7
1.19.0
1.19.1
1.20.0
1.20.1
1.21.0
1.22.0
1.23.0
1.24.0
1.24.1
1.24.2
1.25.0
1.25.1
1.25.2
1.26.0
1.26.1
1.26.2
1.26.3
1.26.4
1.26.5
1.27.0
1.27.1
1.99.0
1.99.1
1.99.3
1.99.4
1.99.5
1.99.6
1.99.7
1.99.8
1.99.9
1.99.10
1.99.11
2.*
2.0.0
2.1.0
2.1.2
2.2.0
2.2.1
2.3.0
2.4.0
2.5.0
2.6.0
2.6.1
2.7.0
2.7.1
2.7.2
2.8.0
2.8.1
2.8.3
2.9.0
2.9.1
2.10.0
2.10.1
2.10.2
2.11.0
2.11.1
2.11.2
2.11.4
2.12.0
2.13.0
2.13.1
2.13.2
2.13.3
2.13.4
2.13.5
2.13.6
2.13.7
2.13.8
2.14.0
2.15.0
2.17.1
2.18.0
2.19.0
2.19.1
2.19.2
2.19.4
2.19.5
2.20.0
2.20.1
2.20.2
2.21.0
2.21.1
2.21.2
2.21.3
2.22.0
2.22.1
2.22.2
2.23.0
2.24.0
2.24.1
2.25.0
2.25.1
2.25.2
2.25.3
2.26.0
2.27.0
2.28.0
2.30.0
2.30.1
2.31.0
2.32.0
2.33.0
2.34.0
2.35.0
2.36.0
2.37.0
2.38.0
2.39.0
2.40.0
2.41.1
2.41.2
2.42.0
2.42.1
2.42.2
2.43.0
2.44.0
2.45.0
2.45.1
2.45.2
2.50.0
2.51.0
2.51.1
2.51.2
2.52.0
2.53.0
2.54.0
2.55.0
2.55.1
2.55.2
2.56.0
2.57.0
2.58.0
2.58.1
2.58.2
2.58.3
2.59.0
2.60.0
2.60.1
2.61.0
2.62.0
2.62.1
2.62.2
2.62.3
2.62.4
22.*
22.1.4.0
22.1.4.1
22.2.1.0
22.2.1.2
22.2.2.0
22.2.2.1
22.2.4.0
22.2.4.1
22.3.1.0
22.3.3.0
22.3.4.0
22.3.4.1
22.3.4.2
22.3.4.3
22.3.5.0
22.4.2.0
22.4.2.1
22.4.2.2
22.4.3.0
22.4.5.0
22.5.1.0
22.5.1.1
22.5.1.2
22.5.2.0
22.5.4.0
22.6.1.0
22.6.1.1
22.6.1.2
22.6.2.0
22.6.2.1
22.6.2.2
22.7.3.0
22.7.3.1
22.7.3.2
22.7.3.3
22.7.3.4
22.7.4.0
22.7.4.1
22.7.5.0
22.7.5.1
22.8.2.0
22.8.2.1
22.8.3.0
22.8.3.1
22.8.4.0
22.8.4.1
22.8.5.0
22.9.3.0
22.9.3.1
22.9.4.0
22.9.5.1
22.9.5.2
22.9.5.3
22.9.5.4
22.10.2.0
22.10.2.1
22.11.3.0
22.11.3.2
22.11.4.0
22.11.4.1
22.11.4.2
22.11.4.3
22.12.4.0
22.12.4.2
22.12.4.3
23.*
23.1.3.0
23.1.3.1
23.1.3.2
23.1.5.0
23.2.1.0
23.2.2.1
23.2.3.0
23.2.3.1
23.2.4.0
23.2.4.1
23.2.4.2
23.2.4.3
23.3.2.0
23.3.3.0
23.3.3.1
23.3.3.2
23.3.3.3
23.3.3.4
23.3.3.5
23.3.4.0
23.3.5.0
23.4.3.0
23.4.3.1
23.4.3.2
23.4.4.0
23.4.4.1
23.4.4.2
23.4.4.3
23.4.4.4
23.5.3.1
23.5.3.2
23.5.4.1
23.6.1.1
23.6.2.0
23.6.3.0
23.6.3.1
23.6.4.0
23.6.5.0
23.6.5.1
23.7.1.0
23.7.2.0
23.7.3.1
23.7.4.0
23.7.4.1
23.8.1.0
23.8.3.0
23.9.1.0
23.9.1.1
23.9.2.0
23.9.2.1
23.9.3.0
23.9.3.1
23.10.2.0
23.10.3.0
23.10.3.1
23.10.5.0
23.11.1.0
23.11.4.0