23.12.5
23.12.4.2
CVE-2024-24759 describes a critical Server-Side Request Forgery (SSRF) vulnerability discovered in mindsdb. This flaw allows attackers to manipulate DNS resolution, potentially redirecting requests to internal resources that should be inaccessible. The vulnerability affects versions of mindsdb up to and including 23.9.3.1, and a fix is available in version 23.12.4.2.
The SSRF vulnerability in mindsdb arises from insufficient validation of URLs, specifically failing to properly handle DNS rebinding attacks. DNS rebinding allows an attacker to initially resolve a domain to a public IP address and then, through subsequent DNS queries, redirect it to an internal IP address. This enables the attacker to craft requests that appear to originate from the mindsdb server, bypassing security controls and potentially accessing sensitive internal resources, such as databases, APIs, or cloud services. Successful exploitation could lead to unauthorized data access, modification, or even remote code execution depending on the internal services exposed. The impact is amplified if mindsdb is deployed in environments with strict network segmentation, as the SSRF bypass could circumvent these protections.
CVE-2024-24759 was publicly disclosed on 2024-09-05. The vulnerability's ease of exploitation, combined with the critical CVSS score, suggests a medium probability of exploitation. No public proof-of-concept (PoC) code has been publicly released as of this writing, but the DNS rebinding technique is well-understood and readily exploitable. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
82.79% (99% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-24759 is to upgrade mindsdb to version 23.12.4.2 or later, which includes the necessary URL validation fixes. If upgrading immediately is not feasible, consider implementing temporary workarounds. These may include restricting outbound network access from the mindsdb server to only necessary destinations using a firewall or proxy. Additionally, implement strict URL validation rules within the application code to prevent DNS rebinding attacks. Monitor network traffic for suspicious outbound requests to unexpected internal IP addresses. After upgrading, confirm the fix by attempting a DNS rebinding attack against the mindsdb instance and verifying that the request is properly blocked.
Update MindsDB to version 23.12.4.2 or higher. This version contains a fix for the SSRF vulnerability. The update can be performed through the package manager used to install MindsDB.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-24759 is a critical SSRF vulnerability in mindsdb versions up to 23.9.3.1, allowing attackers to bypass URL validation and access internal resources via DNS rebinding.
Yes, if you are running mindsdb version 23.9.3.1 or earlier, you are vulnerable to this SSRF attack.
Upgrade mindsdb to version 23.12.4.2 or later to resolve the vulnerability. Implement temporary workarounds like firewall restrictions if immediate upgrade isn't possible.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation and critical severity suggest a potential for exploitation.
Refer to the mindsdb security advisory for detailed information and updates: [https://mindsdb.com/security/advisories/CVE-2024-24759](https://mindsdb.com/security/advisories/CVE-2024-24759)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.