Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') Affecting mindsdb package, versions [23.11.4.4a6, 24.7.4.1)
Threat Intelligence
EPSS
0.05% (20th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-MINDSDB-7945503
- published 13 Sep 2024
- disclosed 12 Sep 2024
- credit Unknown
Introduced: 12 Sep 2024
CVE-2024-45847 Open this link in a new tabHow to fix?
Upgrade MindsDB
to version 24.7.4.1 or higher.
Overview
MindsDB is a MindsDB server, provides server capabilities to mindsdb native python library
Affected versions of this package are vulnerable to Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') through the eval
function inside the _dispatch_update function
of the mindsdb/integrations/libs/vectordatabase_handler.py
file. An attacker can execute arbitrary code on the server by sending a specially crafted 'UPDATE' query that includes malicious Python code.