Skip to main content

Mindsdb CVE-2023-30620

HIGH
Path Traversal (CWE-22)
2023-04-21 security-advisories@github.com
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
CVE Published
Apr 21, 2023 - 21:15 nvd
HIGH 7.5

DescriptionNVD

mindsdb is a Machine Learning platform to help developers build AI solutions. In affected versions an unsafe extraction is being performed using tarfile.extractall() from a remotely retrieved tarball. Which may lead to the writing of the extracted files to an unintended location. Sometimes, the vulnerability is called a TarSlip or a ZipSlip variant. An attacker may leverage this vulnerability to overwrite any local file which the server process has access to. There is no risk of file exposure with this vulnerability. This issue has been addressed in release 23.2.1.0 . Users are advised to upgrade. There are no known workarounds for this vulnerability.

AnalysisAI

mindsdb is a Machine Learning platform to help developers build AI solutions. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as Path Traversal (CWE-22), which allows attackers to access files and directories outside the intended path. mindsdb is a Machine Learning platform to help developers build AI solutions. In affected versions an unsafe extraction is being performed using tarfile.extractall() from a remotely retrieved tarball. Which may lead to the writing of the extracted files to an unintended location. Sometimes, the vulnerability is called a TarSlip or a ZipSlip variant. An attacker may leverage this vulnerability to overwrite any local file which the server process has access to. There is no risk of file exposure with this vulnerability. This issue has been addressed in release 23.2.1.0 . Users are advised to upgrade. There are no known workarounds for this vulnerability. Affected products include: Mindsdb.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Validate and canonicalize file paths. Use chroot or sandboxing. Reject input containing path separators or '../' sequences.

CVE-2024-24759 CRITICAL POC
9.1 Sep 05

MindsDB is a platform for building artificial intelligence from enterprise data. Rated critical severity (CVSS 9.1), thi

CVE-2023-50731 CRITICAL POC
9.1 Dec 22

MindsDB is a SQL Server for artificial intelligence. Rated critical severity (CVSS 9.1), this vulnerability is remotely

CVE-2026-27483 HIGH POC
8.8 Feb 24

Remote code execution in MindsDB prior to version 25.9.1.1 allows authenticated attackers to bypass file upload restrict

CVE-2024-45852 HIGH POC
8.8 Sep 12

Deserialization of untrusted data can occur in versions 23.3.2.0 and newer of the MindsDB platform, enabling a malicious

CVE-2024-45851 HIGH POC
8.8 Sep 12

An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the

CVE-2024-45850 HIGH POC
8.8 Sep 12

An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the

CVE-2024-45849 HIGH POC
8.8 Sep 12

An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the

CVE-2024-45848 HIGH POC
8.8 Sep 12

An arbitrary code execution vulnerability exists in versions 23.12.4.0 up to 24.7.4.1 of the MindsDB platform, when the

CVE-2024-45847 HIGH POC
8.8 Sep 12

An arbitrary code execution vulnerability exists in versions 23.11.4.2 up to 24.7.4.1 of the MindsDB platform, when one

CVE-2024-45846 HIGH POC
8.8 Sep 12

An arbitrary code execution vulnerability exists in versions 23.10.3.0 up to 24.7.4.1 of the MindsDB platform, when the

CVE-2025-68472 HIGH POC
8.1 Jan 12

MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.11.1, an unauthenti

CVE-2024-45855 HIGH POC
7.5 Sep 12

Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciou

Share

CVE-2023-30620 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy