Improper Input Validation in mindsdb
Description
Published by the National Vulnerability Database
Dec 11, 2023
Published to the GitHub Advisory Database
Dec 12, 2023
Reviewed
Dec 12, 2023
Last updated
Nov 22, 2024
Impact
The put method in
mindsdb/mindsdb/api/http/namespaces/file.py
does not validate the user-controlledname
value, which is used in a temporary file name, which is afterwards opened for writing on lines 122-125, which leads to path injection. This issue may lead to arbitrary file write. This vulnerability allows for writing files anywhere on the server that the filesystem permissions that the running server has access to.Patches
Use mindsdb staging branch or v23.11.4.1
References
References