MindsDB@24.6.4.1 vulnerabilities

MindsDB's AI SQL Server enables developers to build AI tools that need access to real-time data to perform their tasks

latest version

24.10.5.0
first published

6 years ago
latest version published

5 days ago
licenses detected
- MIT
  [0.6.5,2.6.0); [23.11.4.0,24.10.4.1)
View MindsDB package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the MindsDB package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
C Cross-site Scripting (XSS) MindsDB is a MindsDB server, provides server capabilities to mindsdb native python library Affected versions of this package are vulnerable to Cross-site Scripting (XSS) whenever another user enumerates unsanitized items within the UI. An attacker can execute arbitrary JavaScript code by injecting malicious scripts into the input fields. How to fix Cross-site Scripting (XSS)? There is no fixed version for `MindsDB`.	[0,)
H Deserialization of Untrusted Data MindsDB is a MindsDB server, provides server capabilities to mindsdb native python library Affected versions of this package are vulnerable to Deserialization of Untrusted Data within the `finetune` method of the `ModelWrapperUnsafe` class in the `mindsdb/integrations/handlers/byom_handler/byom_handler.py` file, which will perform `pickle.loads` on a custom model built via the `Build Your Own Model` process. An attacker can execute arbitrary code on the server by uploading a maliciously crafted `inhouse` model and using it for `finetuning`. Note: This can only occur if the BYOM engine is changed in the config from the default `venv` to `inhouse`. How to fix Deserialization of Untrusted Data? There is no fixed version for `MindsDB`.	[23.10.2.0,)
H Deserialization of Untrusted Data MindsDB is a MindsDB server, provides server capabilities to mindsdb native python library Affected versions of this package are vulnerable to Deserialization of Untrusted Data within the `predict` method of the `ModelWrapperUnsafe` class in the `mindsdb/integrations/handlers/byom_handler/byom_handler.py` file, which will perform `pickle.loads` on a custom model built via the `Build Your Own Model` process. An attacker can execute arbitrary code on the server by uploading a malicious 'inhouse' model and using it for prediction. Note: This can only occur if the BYOM engine is changed in the config from the default `venv` to `inhouse`. How to fix Deserialization of Untrusted Data? There is no fixed version for `MindsDB`.	[23.10.2.0,)
H Deserialization of Untrusted Data MindsDB is a MindsDB server, provides server capabilities to mindsdb native python library Affected versions of this package are vulnerable to Deserialization of Untrusted Data within the `describe` method of the `ModelWrapperUnsafe` class in the `mindsdb/integrations/handlers/byom_handler/byom_handler.py` file, which will perform `pickle.loads` on a custom model built via the Build Your Own Model` process. An attacker can execute arbitrary code on the server by uploading a malicious 'inhouse' model and running a 'describe' query on it. Note: This can only occur if the BYOM engine is changed in the config from the default ‘venv’ to ‘inhouse’. How to fix Deserialization of Untrusted Data? There is no fixed version for `MindsDB`.	[23.10.3.0,)
H Deserialization of Untrusted Data MindsDB is a MindsDB server, provides server capabilities to mindsdb native python library Affected versions of this package are vulnerable to Deserialization of Untrusted Data through the deserialization process within the `decode` function of the `mindsdb/integrations/handlers/byom_handler/proc_wrapper.py` file, which will perform a `pickle.loads` on a custom model built via the `Build Your Own Model` process. An attacker can execute arbitrary code on the server. How to fix Deserialization of Untrusted Data? There is no fixed version for `MindsDB`.	[23.3.2.0,)
H Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') MindsDB is a MindsDB server, provides server capabilities to mindsdb native python library Affected versions of this package are vulnerable to Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') through the `eval` function inside the `_dispatch_update function` of the `mindsdb/integrations/libs/vectordatabase_handler.py` file. An attacker can execute arbitrary code on the server by sending a specially crafted 'UPDATE' query that includes malicious Python code. How to fix Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')? Upgrade `MindsDB` to version 24.7.4.1 or higher.	[23.11.4.4a6,24.7.4.1)
H Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') MindsDB is a MindsDB server, provides server capabilities to mindsdb native python library Affected versions of this package are vulnerable to Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') due to the `eval` function inside the `insert` function of the `mindsdb/integrations/handlers/chromadb_handler/chromadb_handler.py` file. An attacker can execute arbitrary code by sending a specially crafted `INSERT` query that includes malicious Python code. How to fix Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')? Upgrade `MindsDB` to version 24.7.4.1 or higher.	[23.12.4.0,24.7.4.1)
H Eval Injection MindsDB is a MindsDB server, provides server capabilities to mindsdb native python library Affected versions of this package are vulnerable to Eval Injection due to unprotected `eval` function inside the `create_a_site_column` function of the `mindsdb/integrations/handlers/sharepoint_handler/sharepoint_api.py` file. An attacker can execute arbitrary code on the server through the `INSERT` query mechanism used for site column creation in the SharePoint engine. How to fix Eval Injection? Upgrade `MindsDB` to version 24.7.4.1 or higher.	[23.10.5.0,24.7.4.1)
H Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') MindsDB is a MindsDB server, provides server capabilities to mindsdb native python library Affected versions of this package are vulnerable to Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') due to an unprotected `eval` function inside the `select` function of the `mindsdb/integrations/handlers/weaviate_handler/weaviate_handler.py` file. An attacker can execute arbitrary code on the server by sending a specially crafted 'SELECT WHERE' clause containing Python code when using the Weaviate integration. How to fix Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')? Upgrade `MindsDB` to version 24.7.4.1 or higher.	[23.10.3.0,24.7.4.1)
H Eval Injection MindsDB is a MindsDB server, provides server capabilities to mindsdb native python library Affected versions of this package are vulnerable to Eval Injection due to the use of an unprotected `eval` function inside the `create_an_item` function of the `mindsdb/integrations/handlers/sharepoint_handler/sharepoint_api.py` file. This allows an authorized attacker to run arbitrary Python code on the machine the instance is running on. How to fix Eval Injection? Upgrade `MindsDB` to version 24.7.4.1 or higher.	[23.10.5.0,24.7.4.1)
H Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') MindsDB is a MindsDB server, provides server capabilities to mindsdb native python library Affected versions of this package are vulnerable to Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') inside the `create_a_list` function of the `mindsdb/integrations/handlers/sharepoint_handler/sharepoint_api.py` file, due to the `eval` function. This allows an authorized attacker to run arbitrary Python code on the machine the instance is running on. How to fix Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')? Upgrade `MindsDB` to version 24.7.4.1 or higher.	[23.10.5.0,24.7.4.1)
M Cross-site Scripting MindsDB is a MindsDB server, provides server capabilities to mindsdb native python library Affected versions of this package are vulnerable to Cross-site Scripting due to improper sanitization of user-supplied input. An attacker can inject malicious scripts into web pages viewed by other users. Note: This is true for both cloud version and OSS version. How to fix Cross-site Scripting? There is no fixed version for `MindsDB`.	[0,)
H Arbitrary File Write via Archive Extraction (Zip Slip) MindsDB is a MindsDB server, provides server capabilities to mindsdb native python library Affected versions of this package are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) due to an unsafe extraction which is performed using the `shutil.unpack_archive()` function from a remotely retrieved tarball. This can lead to the writing of the extracted files to an unintended location. How to fix Arbitrary File Write via Archive Extraction (Zip Slip)? There is no fixed version for `MindsDB`.	[0,)

Go back to all versions of this package

MindsDB@24.6.4.1 vulnerabilities

MindsDB's AI SQL Server enables developers to build AI tools that need access to real-time data to perform their tasks

latest version

first published

latest version published

licenses detected

Direct Vulnerabilities