CVE-2023-49796: 
Python vulnerability analysis and mitigation

MindsDB, a software that connects artificial intelligence models to real-time data, was found to contain a limited file write vulnerability in file.py in versions prior to 23.11.4.1. The vulnerability was discovered and reported by Sylwia Budzynska from the GitHub Security Lab team (GitHub Advisory).

The vulnerability exists in the put method in mindsdb/mindsdb/api/http/namespaces/file.py where user-controlled input in the original_file_name value is not properly validated. This leads to path injection after file contents have been checked by the _handle_source method in file_handler.py. The vulnerability allows for creating and overwriting files, but only if they are real csv, xls, xlsx, json, or parquet files. The issue has been assigned a CVSS v3.1 base score of 5.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N (NVD).

The vulnerability allows attackers to create and overwrite files on the system, but is limited to specific file types (csv, xls, xlsx, json, or parquet). This could potentially lead to unauthorized file manipulation within the system's constraints (GitHub Lab).

Users should upgrade to MindsDB version 23.11.4.1 or use the staging branch, which contains a fix for the issue. The fix includes improved input validation and filename sanitization through the implementation of a clear_filename function (GitHub Commit).