CVE-2024-24759

nvd nist nuclei

Published: Sep 5, 2024Modified: Sep 6, 2024

9.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Exploitability: 3.9 / Impact: 5.2

Source: NVD

Description

MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 23.12.4.2, a threat actor can bypass the server-side request forgery protection on the whole website with DNS Rebinding. The vulnerability can also lead to denial of service. Version 23.12.4.2 contains a patch.

Affected (1)

Products: Mindsdb: Mindsdb

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Mindsdb Mindsdb	Before 23.12.4.2

Related CWEs

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (2)

https://github.com/mindsdb/mindsdb/commit/5f7496481bd3db1d06a2d2e62c0dce960a1fe12b

Source: security-advisories@github.com

Patch

https://github.com/mindsdb/mindsdb/security/advisories/GHSA-4jcv-vp96-94xr

Source: security-advisories@github.com

ExploitVendor Advisory

Timeline

No history available yet.