Lucene search

K
MindsdbMindsdb

18 matches found

CVE
CVE
added 2023/12/22 9:15 p.m.68 views

CVE-2023-50731

MindsDB is a SQL Server for artificial intelligence. Prior to version 23.11.4.1, the put method in mindsdb/mindsdb/api/http/namespaces/file.py does not validate the user-controlled name value, which is used in a temporary file name, which is afterwards opened for writing on lines 122-125, which lea...

9.1CVSS9.7AI score0.00146EPSS
CVE
CVE
added 2023/04/21 9:15 p.m.52 views

CVE-2023-30620

mindsdb is a Machine Learning platform to help developers build AI solutions. In affected versions an unsafe extraction is being performed using tarfile.extractall() from a remotely retrieved tarball. Which may lead to the writing of the extracted files to an unintended location. Sometimes, the vul...

7.5CVSS7.4AI score0.01499EPSS
CVE
CVE
added 2023/08/04 6:15 p.m.49 views

CVE-2023-38699

MindsDB's AI Virtual Database allows developers to connect any AI/ML model to any datasource. Prior to version 23.7.4.0, a call to requests with verify=False disables SSL certificate checks. This rule enforces always verifying SSL certificates for methods in the Requests library. In version 23.7.4....

9.1CVSS7.7AI score0.00093EPSS
CVE
CVE
added 2024/09/05 5:15 p.m.47 views

CVE-2024-24759

MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 23.12.4.2, a threat actor can bypass the server-side request forgery protection on the whole website with DNS Rebinding. The vulnerability can also lead to denial of service. Version 23.12.4.2 contains...

9.3CVSS9.2AI score0.49773EPSS
CVE
CVE
added 2024/09/12 1:15 p.m.47 views

CVE-2024-45848

An arbitrary code execution vulnerability exists in versions 23.12.4.0 up to 24.7.4.1 of the MindsDB platform, when the ChromaDB integration is installed on the server. If a specially crafted ‘INSERT’ query containing Python code is run against a database created with the ChromaDB engine, the code ...

8.8CVSS7.8AI score0.01546EPSS
CVE
CVE
added 2023/03/30 7:15 p.m.46 views

CVE-2022-23522

MindsDB is an open source machine learning platform. An unsafe extraction is being performed using shutil.unpack_archive() from a remotely retrieved tarball. Which may lead to the writing of the extracted files to an unintended location. This vulnerability is sometimes called a TarSlip or a ZipSlip...

8.8CVSS8.6AI score0.00667EPSS
CVE
CVE
added 2024/09/12 1:15 p.m.44 views

CVE-2024-45852

Deserialization of untrusted data can occur in versions 23.3.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded model to run arbitrary code on the server when interacted with.

8.8CVSS8.8AI score0.00306EPSS
CVE
CVE
added 2024/09/12 1:15 p.m.42 views

CVE-2024-45849

An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, an ‘INSERT’ query can be used for list creation. If such a query is ...

8.8CVSS8AI score0.0195EPSS
CVE
CVE
added 2024/09/12 1:15 p.m.41 views

CVE-2024-45847

An arbitrary code execution vulnerability exists in versions 23.11.4.2 up to 24.7.4.1 of the MindsDB platform, when one of several integrations is installed on the server. If a specially crafted ‘UPDATE’ query containing Python code is run against a database created with the specified integration e...

8.8CVSS7.8AI score0.01546EPSS
CVE
CVE
added 2024/09/12 1:15 p.m.40 views

CVE-2024-45846

An arbitrary code execution vulnerability exists in versions 23.10.3.0 up to 24.7.4.1 of the MindsDB platform, when the Weaviate integration is installed on the server. If a specially crafted ‘SELECT WHERE’ clause containing Python code is run against a database created with the Weaviate engine, th...

8.8CVSS7.8AI score0.01678EPSS
CVE
CVE
added 2024/09/12 1:15 p.m.40 views

CVE-2024-45855

Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when using ‘finetune’ on it.

7.5CVSS7AI score0.00227EPSS
CVE
CVE
added 2024/09/12 1:15 p.m.38 views

CVE-2024-45856

A cross-site scripting (XSS) vulnerability exists in all versions of the MindsDB platform, enabling the execution of a JavaScript payload whenever a user enumerates an ML Engine, database, project, or dataset containing arbitrary JavaScript code within the web UI.

9CVSS8.1AI score0.00204EPSS
CVE
CVE
added 2024/09/12 1:15 p.m.37 views

CVE-2024-45851

An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, an ‘INSERT’ query can be used for list item creation. If such a quer...

8.8CVSS8.8AI score0.0195EPSS
CVE
CVE
added 2024/09/12 1:15 p.m.36 views

CVE-2024-45853

Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when used for a prediction.

7.5CVSS7.1AI score0.00248EPSS
CVE
CVE
added 2024/09/12 1:15 p.m.36 views

CVE-2024-45854

Deserialization of untrusted data can occur in versions 23.10.3.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when a ‘describe’ query is run on it.

7.5CVSS7AI score0.00227EPSS
CVE
CVE
added 2024/09/12 1:15 p.m.35 views

CVE-2024-45850

An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, an ‘INSERT’ query can be used for site column creation. If such a qu...

8.8CVSS8.8AI score0.0195EPSS
CVE
CVE
added 2023/12/11 9:15 p.m.31 views

CVE-2023-49796

MindsDB connects artificial intelligence models to real time data. Versions prior to 23.11.4.1 contain a limited file write vulnerability in file.py Users should use MindsDB's staging branch or v23.11.4.1, which contain a fix for the issue.

5.3CVSS5.2AI score0.00664EPSS
CVE
CVE
added 2023/12/11 7:15 p.m.23 views

CVE-2023-49795

MindsDB connects artificial intelligence models to real time data. Versions prior to 23.11.4.1 contain a server-side request forgery vulnerability in file.py. This can lead to limited information disclosure. Users should use MindsDB's staging branch or v23.11.4.1, which contain a fix for the issue.

6.5CVSS5.5AI score0.0027EPSS