CVE-2024-45848: MindsDB Eval Injection vulnerability
8.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.78945%
CWE
Published
9/12/2024
Updated
9/16/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| mindsdb | pip | >= 23.12.4.0, < 24.7.4.1 | 24.7.4.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the use of eval() in the ChromaDB handler's insert function to process metadata values. The GitHub patch explicitly replaces eval() with ast.literal_eval() in this function, and the CVE description specifically calls out ChromaDB INSERT queries as the attack vector. While other handlers (SharePoint, Weaviate) also had eval() usages patched, CVE-2024-45848 is explicitly tied to the ChromaDB integration's metadata processing in the insert method.