CVE-2024-45847: 
Python vulnerability analysis and mitigation

An arbitrary code execution vulnerability exists in versions 23.11.4.2 up to 24.7.4.1 of the MindsDB platform, when one of several integrations is installed on the server. The vulnerability, identified as CVE-2024-45847, was discovered and disclosed on September 12, 2024. The issue affects multiple integrations including PgVector, Milvus, LanceDB, Xata, Qdrant, Pinecone, ChromaDB, and WeaviateDB (HiddenLayer Advisory).

The vulnerability exists in the dispatchupdate function of the mindsdb/integrations/libs/vectordatabase_handler.py file. When a specially crafted 'UPDATE' query containing Python code is run against a database created with the specified integration engine, the code will be passed to an eval function and executed on the server. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, and is categorized as CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') (NVD, HiddenLayer Advisory).

The vulnerability allows an authenticated attacker to execute arbitrary Python code on the machine where the MindsDB instance is running. This could potentially lead to complete system compromise with high impacts on confidentiality, integrity, and availability of the affected system (HiddenLayer Advisory).

The vulnerability was addressed in version 24.7.4.1 of MindsDB, where the use of 'eval' was replaced with 'ast.literal_eval'. Users are advised to upgrade to this version or newer to mitigate the vulnerability (HiddenLayer Advisory).