CVE-2024-45846 – This vulnerability allows remote code execution... (How to Fix)

Q: What is the severity of CVE-2024-45846?

CVE-2024-45846 has a CVSS score of 8.8 (HIGH). This vulnerability allows remote code execution on MindsDB servers when the Weaviate integration is installed. Attackers can execute arbitrary Python code by crafting malicious SELECT WHERE clauses against Weaviate-engine databases. Organizations running MindsDB versions 23.10.3.0 through 24.7.4.1 with Weaviate integration are affected.

📋 TL;DR

This vulnerability allows remote code execution on MindsDB servers when the Weaviate integration is installed. Attackers can execute arbitrary Python code by crafting malicious SELECT WHERE clauses against Weaviate-engine databases. Organizations running MindsDB versions 23.10.3.0 through 24.7.4.1 with Weaviate integration are affected.

💻 Affected Systems

Products:

MindsDB

Versions: 23.10.3.0 up to 24.7.4.1

Operating Systems: All platforms running MindsDB

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when Weaviate integration is installed and enabled on the server.

📦 What is this software?

Mindsdb by Mindsdb

View all CVEs affecting Mindsdb →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise leading to data theft, lateral movement, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Unauthorized data access, privilege escalation, and potential installation of cryptocurrency miners or botnet clients.

🟢

If Mitigated

Limited impact due to network segmentation, minimal privileges, and proper monitoring catching exploitation attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires database access but the vulnerability is straightforward to exploit once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 24.7.4.2 and later

Vendor Advisory: https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb/

Restart Required: Yes

Instructions:

1. Upgrade MindsDB to version 24.7.4.2 or later. 2. Restart the MindsDB service. 3. Verify the upgrade was successful.

🔧 Temporary Workarounds

Disable Weaviate Integration

all

Remove or disable the Weaviate integration if not required for operations.

# Remove Weaviate integration
pip uninstall mindsdb-weaviate

Network Segmentation

all

Restrict access to MindsDB instances to only trusted users and applications.

🧯 If You Can't Patch

Implement strict network access controls to limit who can connect to MindsDB instances
Monitor for unusual database queries containing Python code patterns

🔍 How to Verify

Check if Vulnerable:

Check MindsDB version and verify if Weaviate integration is installed. Vulnerable if version is between 23.10.3.0 and 24.7.4.1 inclusive with Weaviate present.

Check Version:

mindsdb --version

Verify Fix Applied:

Confirm MindsDB version is 24.7.4.2 or later and restart service.

📡 Detection & Monitoring

Log Indicators:

Unusual SELECT WHERE queries containing Python code patterns
Unexpected process execution from MindsDB context

Network Indicators:

Unusual outbound connections from MindsDB server
Database queries containing eval() or exec() patterns

SIEM Query:

source="mindsdb" AND ("SELECT WHERE" AND ("eval" OR "exec" OR python_code_patterns))

📊 Metadata

CVE ID: CVE-2024-45846

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-95

Published: September 12, 2024

Last Updated: September 16, 2024

🔗 References

https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-45846, you might also want to check these: