Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') Affecting mindsdb package, versions [23.12.4.0,24.7.4.1)
Threat Intelligence
EPSS
0.05% (20th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-MINDSDB-7945500
- published 13 Sep 2024
- disclosed 12 Sep 2024
- credit Unknown
Introduced: 12 Sep 2024
CVE-2024-45848 Open this link in a new tabHow to fix?
Upgrade MindsDB
to version 24.7.4.1 or higher.
Overview
MindsDB is a MindsDB server, provides server capabilities to mindsdb native python library
Affected versions of this package are vulnerable to Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') due to the eval
function inside the insert
function of the mindsdb/integrations/handlers/chromadb_handler/chromadb_handler.py
file. An attacker can execute arbitrary code by sending a specially crafted INSERT
query that includes malicious Python code.