CVE-2024-45846: 
Python vulnerability analysis and mitigation

An arbitrary code execution vulnerability exists in versions 23.10.3.0 up to 24.7.4.1 of the MindsDB platform, when the Weaviate integration is installed on the server. The vulnerability was discovered and disclosed on September 12, 2024, affecting the MindsDB platform's Weaviate integration component. If a specially crafted 'SELECT WHERE' clause containing Python code is run against a database created with the Weaviate engine, the code will be passed to an eval function and executed on the server (HiddenLayer Advisory, NVD).

The vulnerability exists inside the select function of the mindsdb/integrations/handlers/weaviatehandler/weaviatehandler.py file in the Weaviate integration. The issue stems from an unprotected eval function that processes embedding vector filters in 'SELECT WHERE' clauses. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. It is categorized as CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') (HiddenLayer Advisory).

The vulnerability allows an authenticated attacker to execute arbitrary Python code on the machine where the MindsDB instance is running. This could potentially lead to complete system compromise, as the attacker would have the ability to execute any code within the context of the MindsDB application (HiddenLayer Advisory).

The vulnerability was addressed in version 24.7.4.1 of MindsDB, where the use of 'eval' was replaced with 'ast.literal_eval'. Users are advised to upgrade to this version or newer to mitigate the vulnerability (HiddenLayer Advisory).

The vulnerability was initially reported to the vendor on July 12, 2024, and after multiple follow-ups, the vendor responded on September 10, 2024, confirming they had implemented changes to mitigate the reported issues. The public disclosure was made on September 12, 2024 (HiddenLayer Advisory).