Platform
python
Component
mindsdb
Opgelost in
23.12.5
23.12.4.2
CVE-2024-24759 describes a critical Server-Side Request Forgery (SSRF) vulnerability discovered in mindsdb. This flaw allows attackers to manipulate DNS resolution, potentially redirecting requests to internal resources that should be inaccessible. The vulnerability affects versions of mindsdb up to and including 23.9.3.1, and a fix is available in version 23.12.4.2.
The SSRF vulnerability in mindsdb arises from insufficient validation of URLs, specifically failing to properly handle DNS rebinding attacks. DNS rebinding allows an attacker to initially resolve a domain to a public IP address and then, through subsequent DNS queries, redirect it to an internal IP address. This enables the attacker to craft requests that appear to originate from the mindsdb server, bypassing security controls and potentially accessing sensitive internal resources, such as databases, APIs, or cloud services. Successful exploitation could lead to unauthorized data access, modification, or even remote code execution depending on the internal services exposed. The impact is amplified if mindsdb is deployed in environments with strict network segmentation, as the SSRF bypass could circumvent these protections.
CVE-2024-24759 was publicly disclosed on 2024-09-05. The vulnerability's ease of exploitation, combined with the critical CVSS score, suggests a medium probability of exploitation. No public proof-of-concept (PoC) code has been publicly released as of this writing, but the DNS rebinding technique is well-understood and readily exploitable. It is not currently listed on the CISA KEV catalog.
Organizations using mindsdb in production environments, particularly those with sensitive internal resources accessible via network services, are at risk. Deployments relying on strict network segmentation to protect internal systems are especially vulnerable, as the SSRF bypass can circumvent these controls. Users running older versions of mindsdb (≤23.9.3.1) are directly affected.
• python / server:
# Check for vulnerable mindsdb versions
ps aux | grep mindsdb | grep '23.9.3.1'• generic web:
# Check for outbound requests to unexpected internal IPs in access logs
grep '127.0.0.1' /var/log/nginx/access.logdisclosure
Exploit Status
EPSS
82.79% (99% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2024-24759 is to upgrade mindsdb to version 23.12.4.2 or later, which includes the necessary URL validation fixes. If upgrading immediately is not feasible, consider implementing temporary workarounds. These may include restricting outbound network access from the mindsdb server to only necessary destinations using a firewall or proxy. Additionally, implement strict URL validation rules within the application code to prevent DNS rebinding attacks. Monitor network traffic for suspicious outbound requests to unexpected internal IP addresses. After upgrading, confirm the fix by attempting a DNS rebinding attack against the mindsdb instance and verifying that the request is properly blocked.
Werk MindsDB bij naar versie 23.12.4.2 of hoger. Deze versie bevat een correctie voor de SSRF-kwetsbaarheid. De update kan worden uitgevoerd via de pakketbeheerder die is gebruikt om MindsDB te installeren.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-24759 is a critical SSRF vulnerability in mindsdb versions up to 23.9.3.1, allowing attackers to bypass URL validation and access internal resources via DNS rebinding.
Yes, if you are running mindsdb version 23.9.3.1 or earlier, you are vulnerable to this SSRF attack.
Upgrade mindsdb to version 23.12.4.2 or later to resolve the vulnerability. Implement temporary workarounds like firewall restrictions if immediate upgrade isn't possible.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation and critical severity suggest a potential for exploitation.
Refer to the mindsdb security advisory for detailed information and updates: [https://mindsdb.com/security/advisories/CVE-2024-24759](https://mindsdb.com/security/advisories/CVE-2024-24759)
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je requirements.txt-bestand en we vertellen je direct of je getroffen bent.