Miggo Logo
Miggo Vulnerability Database
CVE-2024-45848

CVE-2024-45848: MindsDB Eval Injection vulnerability

8.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-45848
GHSA ID
GHSA-9gq6-6936-885w
EPSS Score
0.78945%
CWE
CWE-94
Published
9/12/2024
Updated
9/16/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
mindsdbpip>= 23.12.4.0, < 24.7.4.124.7.4.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the use of eval() in the ChromaDB handler's insert function to process metadata values. The GitHub patch explicitly replaces eval() with ast.literal_eval() in this function, and the CVE description specifically calls out ChromaDB INSERT queries as the attack vector. While other handlers (SharePoint, Weaviate) also had eval() usages patched, CVE-2024-45848 is explicitly tied to the ChromaDB integration's metadata processing in the insert method.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n *r*itr*ry *o** *x**ution vuln*r**ility *xists in v*rsions **.**.*.* up to **.*.*.* o* t** Min*s** pl*t*orm, w**n t** **rom*** int**r*tion is inst*ll** on t** s*rv*r. I* * sp**i*lly *r**t** ‘INS*RT’ qu*ry *ont*inin* Pyt*on *o** is run ***inst * **t

Reasoning

T** vuln*r**ility st*ms *rom t** us* o* `*v*l()` in t** **rom*** **n*l*r's ins*rt *un*tion to `pro**ss` m*t***t* v*lu*s. T** *it*u* p*t** *xpli*itly r*pl***s `*v*l()` wit* `*st.lit*r*l_*v*l()` in t*is *un*tion, *n* t** *V* **s*ription sp**i*i**lly **