Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-crhp-7c74-cg4c

GitHub Security Advisory

Improper Input Validation in mindsdb

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

### Impact

The put method in `mindsdb/mindsdb/api/http/namespaces/file.py` does not validate the user-controlled `name` value, which is used in a temporary file name, which is afterwards opened for writing on lines 122-125, which leads to path injection. This issue may lead to arbitrary file write. This vulnerability allows for writing files anywhere on the server that the filesystem permissions that the running server has access to.

### Patches

Use mindsdb staging branch or v23.11.4.1

### References

* GHSL-2023-184
* See [CodeQL path injection prevention guidelines](https://codeql.github.com/codeql-query-help/python/py-path-injection/) and [OWASP guidelines](https://owasp.org/www-community/attacks/Path_Traversal).

Affected Packages

PyPI mindsdb
Affected versions: 0 (fixed in 23.11.4.1)

Related CVEs

CVE-2023-49796

Key Information

GHSA ID
GHSA-crhp-7c74-cg4c
Published
December 12, 2023 12:49 AM
Last Modified
November 22, 2024 6:14 PM
CVSS Score
5.0 /10
Primary Ecosystem
PyPI
Primary Package
mindsdb
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 14, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.