CVE-2024-24759

high-risk
Published 2024-09-05

MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 23.12.4.2, a threat actor can bypass the server-side request forgery protection on the whole website with DNS Rebinding. The vulnerability can also lead to denial of service. Version 23.12.4.2 contains a patch.

Do I need to act?

!
82.8% chance of exploitation in next 30 days
EPSS score — higher than 17% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.3/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Mindsdb

References (2)

Patch https://github.com/mindsdb/mindsdb/commit/5f7496481bd3db1d06a2d2e62c0dce960a1fe1...
Exploit https://github.com/mindsdb/mindsdb/security/advisories/GHSA-4jcv-vp96-94xr
56
/ 100
high-risk
Severity 31/34 · Critical
Exploitability 20/34 · Moderate
Exposure 5/34 · Minimal