CVE-2024-45849: 
Python vulnerability analysis and mitigation

An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, an 'INSERT' query can be used for list creation. If such a query is specially crafted to contain Python code and is run against the database, the code will be passed to an eval function and executed on the server (NVD, HiddenLayer).

The vulnerability exists inside the createalist function of the mindsdb/integrations/handlers/sharepointhandler/sharepointapi.py file in the Microsoft SharePoint integration. The issue stems from an unprotected eval function that processes the value provided for the list column in an 'INSERT' statement for the lists table. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and requiring low privileges (HiddenLayer).

If successfully exploited, this vulnerability allows an authenticated attacker to execute arbitrary Python code on the machine where the MindsDB instance is running. This could lead to complete system compromise, including potential data theft, system manipulation, or further network penetration (HiddenLayer).

The vulnerability was addressed in version 24.7.4.1 by replacing the use of 'eval' with 'ast.literal_eval' in the project's Github repository (HiddenLayer).

The vulnerability was discovered and reported by researchers at HiddenLayer, who followed a responsible disclosure process by first notifying the vendor on July 12, 2024. After multiple follow-ups, the vendor acknowledged the issue on September 10, 2024, confirming they had implemented changes to mitigate the reported issues (HiddenLayer).