CVE-2024-45855

Summary

CVE-2024-45855 identifies a vulnerability in versions 23.10.2.0 and newer of the MindsDB platform, which allows for the deserialization of untrusted data. This flaw enables an attacker to run arbitrary code on the server by uploading a malicious in-house model while using the 'finetune' feature. The affected products include various identifiers associated with MindsDB, such as yZDbPt and uCRMb4, among others. To remediate this vulnerability, users should avoid using untrusted models and ensure they are operating on an updated version of the platform that addresses this issue. The potential danger posed by this vulnerability is significant, as it can lead to high impacts on confidentiality, integrity, and availability of organizational systems due to its exploitability through network vectors with low privileges required for execution.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.