CVE-2024-45187

Published: Aug 23, 2024Modified: Oct 10, 2025

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Guest users in the Mage AI framework that remain logged in after their accounts are deleted, are mistakenly given high privileges and specifically given access to remotely execute arbitrary code through the Mage AI terminal server

Affected (1)

Products: Mage: Mage Ai

Mage

1 product

Mage Ai

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Mage Mage Ai	All versions

Related CWEs

CWE-266

Incorrect Privilege Assignment

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

CWE-613

Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

References (1)

https://research.jfrog.com/vulnerabilities/mage-ai-deleted-users-rce-jfsa-2024-001039602/

Source: reefs@jfrog.com

Third Party Advisory

Timeline

No history available yet.