CVE-2024-45187: 
Python vulnerability analysis and mitigation

Guest users in the Mage AI framework that remain logged in after their accounts are deleted are mistakenly given high privileges, specifically allowing access to remotely execute arbitrary code through the Mage AI terminal server. The vulnerability (CVE-2024-45187) was discovered in August 2024 and received a CVSS score of 7.1 (HIGH) (JFrog Research).

The vulnerability exists in the terminal_server.py file where the code checks API key authentication and user tokens. The issue occurs because the valid variable is set to True before verifying if there is a user associated with the token. When a user is deleted, their authentication token remains cached in the database with a default 30-day expiration period. If a deleted low-privileged user reuses their authentication token, they can gain unauthorized access to the Mage Web Terminal and execute arbitrary commands on the server hosting Mage.AI (Hacker News).

The vulnerability allows deleted users to gain unauthorized shell access with root permissions, enabling them to execute arbitrary commands on the Mage.AI server. This access could lead to full system compromise, including unauthorized access to ML pipelines, datasets, and model training systems. Since MLOps pipelines may have access to the organization's ML Datasets, ML Model Training, and ML Model Publishing, exploiting this vulnerability can result in severe breaches including data theft and ML model manipulation (JFrog Blog).