CVE-2023-50731
📋 TL;DR
This is a path injection vulnerability in MindsDB that allows attackers to write arbitrary files to the server filesystem and delete zip/tar.gz files. It affects all MindsDB instances prior to version 23.11.4.1 that expose the file upload functionality.
💻 Affected Systems
- MindsDB
📦 What is this software?
Mindsdb by Mindsdb
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through arbitrary file write leading to remote code execution, data destruction via file deletion, and persistence mechanisms.
Likely Case
Arbitrary file write leading to data exfiltration, service disruption via file deletion, and potential privilege escalation.
If Mitigated
Limited impact if proper file system permissions restrict write access to sensitive directories.
🎯 Exploit Status
Proof of concept available in GitHub security advisory. Exploitation requires HTTP access to the MindsDB API endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 23.11.4.1
Vendor Advisory: https://github.com/mindsdb/mindsdb/security/advisories/GHSA-j8w6-2r9h-cxhj
Restart Required: Yes
Instructions:
1. Update MindsDB to version 23.11.4.1 or later using pip: 'pip install --upgrade mindsdb>=23.11.4.1' 2. Restart the MindsDB service 3. Verify the update was successful
🔧 Temporary Workarounds
Disable file upload endpoint
allBlock or disable the vulnerable file upload API endpoint if not required
Configure firewall/load balancer to block requests to /api/files endpoint
Modify MindsDB configuration to disable file upload functionality
Restrict file system permissions
linuxRun MindsDB with minimal file system write permissions
chown -R mindsdb:mindsdb /var/lib/mindsdb
chmod 750 /var/lib/mindsdb
Run MindsDB as non-root user with restricted home directory
🧯 If You Can't Patch
- Implement strict network segmentation to isolate MindsDB instances from sensitive systems
- Deploy WAF rules to detect and block path traversal patterns in file upload requests
🔍 How to Verify
Check if Vulnerable:
Check MindsDB version: if version < 23.11.4.1, system is vulnerable. Test by attempting path traversal in file upload name parameter.Check Version:
python -c "import mindsdb; print(mindsdb.__version__)" or check package managerVerify Fix Applied:
Confirm MindsDB version is 23.11.4.1 or later. Test that path traversal attempts in file uploads are properly rejected.📡 Detection & Monitoring
Log Indicators:
- Unusual file write operations outside expected directories
- Failed file type validation errors
- Path traversal patterns in file upload requests
Network Indicators:
- HTTP requests to /api/files endpoint with suspicious filename parameters
- Unusual file deletion patterns
SIEM Query:
source="mindsdb" AND (uri_path="/api/files" AND (filename="*../*" OR filename="*..\\*"))🔗 References
- https://github.com/mindsdb/mindsdb/blob/1821da719f34c022890c9ff25810218e71c5abbc/mindsdb/api/http/namespaces/file.py#L122-L125
- https://github.com/mindsdb/mindsdb/blob/1821da719f34c022890c9ff25810218e71c5abbc/mindsdb/api/http/namespaces/file.py#L138
- https://github.com/mindsdb/mindsdb/security/advisories/GHSA-j8w6-2r9h-cxhj
- https://securitylab.github.com/advisories/GHSL-2023-182_GHSL-2023-184_mindsdb_mindsdb/
- https://github.com/mindsdb/mindsdb/blob/1821da719f34c022890c9ff25810218e71c5abbc/mindsdb/api/http/namespaces/file.py#L122-L125
- https://github.com/mindsdb/mindsdb/blob/1821da719f34c022890c9ff25810218e71c5abbc/mindsdb/api/http/namespaces/file.py#L138
- https://github.com/mindsdb/mindsdb/security/advisories/GHSA-j8w6-2r9h-cxhj
- https://securitylab.github.com/advisories/GHSL-2023-182_GHSL-2023-184_mindsdb_mindsdb/
