CVE-2023-49795 – mindsdb

Package

Manager: pip
Name: mindsdb
Vulnerable Version: >=0 <23.11.4.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0027 pctl0.50174

Details

Server-Side Request Forgery in mindsdb ### Impact The put method in `mindsdb/mindsdb/api/http/namespaces/file.py` does not validate the user-controlled URL in the source variable and uses it to create arbitrary requests on line 115, which allows Server-side request forgery (SSRF). This issue may lead to Information Disclosure. The SSRF allows for forging arbitrary network requests from the MindsDB server. It can be used to scan nodes in internal networks for open ports that may not be accessible externally, as well as scan for existing files on the internal network. It allows for retrieving files with csv, xls, xlsx, json or parquet extensions, which will be viewable via MindsDB GUI. For any other existing files, it is a blind SSRF. ### Patches Use mindsdb staging branch or v23.11.4.1 ### References * GHSL-2023-182 [SSRF prevention cheatsheet](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html).

Metadata

Created: 2023-12-12T00:48:48Z
Modified: 2024-11-22T18:14:00Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-34mr-6q8x-g9r6/GHSA-34mr-6q8x-g9r6.json
CWE IDs: ["CWE-918"]
Alternative ID: GHSA-34mr-6q8x-g9r6
Finding: F100
Auto approve: 1