CVE-2024-45187 – mage-ai

Package

Manager: pip
Name: mage-ai
Vulnerable Version: >=0 <=0.9.73

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

EPSS: 0.00067 pctl0.21202

Details

Mage AI incorrectly gives privileges to users with deleted accounts Guest users in the Mage AI framework that remain logged in after their accounts are deleted, are mistakenly given high privileges and specifically given access to remotely execute arbitrary code through the Mage AI terminal server.

Metadata

Created: 2024-08-23T21:30:42Z
Modified: 2024-11-25T19:30:13Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-jg95-r9xh-xw9c/GHSA-jg95-r9xh-xw9c.json
CWE IDs: ["CWE-266", "CWE-613"]
Alternative ID: GHSA-jg95-r9xh-xw9c
Finding: F159
Auto approve: 1