CVE-2023-50731: 
Python vulnerability analysis and mitigation

MindsDB, a SQL Server for artificial intelligence, was found to contain a critical vulnerability (CVE-2023-50731) prior to version 23.11.4.1. The vulnerability exists in the put method within mindsdb/mindsdb/api/http/namespaces/file.py, where insufficient validation of user-controlled name values used in temporary file names leads to path injection (GitHub Security Lab, NVD).

The vulnerability stems from the put method's handling of file operations. When a temporary file is created, the user-controlled name value is used without proper validation in the file path. The file is opened for writing on lines 122-125, enabling path injection. Although the temporary directory is deleted on line 151, the path injection vulnerability allows writing files outside the directory, meaning potentially dangerous files remain on the system. The vulnerability has a CVSS v3.1 base score of 9.1 (CRITICAL) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H (NVD).

The vulnerability allows arbitrary file contents to be written through f.write(chunk) on line 125. While MindsDB does validate file types (csv, json, parquet, xls, or xlsx) in the save_file method, this check occurs after file writing, meaning malicious files persist on the system. Additionally, the same user-controlled source variable can be exploited in another path injection vulnerability that enables deletion of any zip or tar.gz files on the server (GitHub Security Lab).

The vulnerability has been patched in MindsDB version 23.11.4.1. Users should upgrade to this version or later to mitigate the risk (GitHub Security Advisory).