CVE-2024-24759
published 2024-09-05CVE-2024-24759: MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 23.12.4.2, a threat actor can bypass the server-side request…
PriorityP265critical9.1CVSS 3.1
AVNACLPRNUINSUCHINAH
EXPLOIT
EPSS
4.94%
91.1th percentile
MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 23.12.4.2, a threat actor can bypass the server-side request forgery protection on the whole website with DNS Rebinding. The vulnerability can also lead to denial of service. Version 23.12.4.2 contains a patch.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mindsdb | mindsdb | < 23.12.4.2 | 23.12.4.2 |
| mindsdb | mindsdb | >= 0 < 23.12.4.2 | 23.12.4.2 |
| mindsdb | mindsdb | >= 0 < 5f7496481bd3db1d06a2d2e62c0dce960a1fe12b | 5f7496481bd3db1d06a2d2e62c0dce960a1fe12b |
Detection & IOCsextracted from sources · hover to see the quote
url/check_private_url?url=https://{{interactsh-url}}/
path/check_private_url
sigma
id: CVE-2024-24759
info:
name: MindsDB -DNS Rebinding SSRF Protection Bypass
author: Lee Changhyun(eeche)
severity: high
http:
- raw:
- |
GET /check_private_url?url=https://{{interactsh-url}}/ HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "http"- →Probe for the vulnerable SSRF-check endpoint by sending a GET request to /check_private_url with an external (OAST/interactsh) URL as the `url` parameter; a successful DNS/HTTP callback to the interactsh server confirms the SSRF protection bypass via DNS rebinding.
- →First confirm the target is a MindsDB instance by checking that the response body contains the string 'mindsdb' (case-insensitive) before probing the vulnerable endpoint.
- →Use Shodan query `title:"mindsdb"` to identify exposed MindsDB instances that may be vulnerable.
- →Monitor for outbound DNS/HTTP callbacks originating from the MindsDB server process triggered by requests to /check_private_url — this indicates successful DNS rebinding exploitation of the SSRF protection bypass.
- ·The Nuclei template uses a two-step flow (http(1) && http(2)): the first request validates the target is MindsDB before the SSRF probe is sent. Both steps must succeed for a confirmed finding.
- ·Exploitation requires an out-of-band (OAST) interaction server (e.g., interactsh) to confirm the DNS rebinding bypass; passive/inline detection alone is insufficient.
- ·The vulnerability affects MindsDB versions prior to 23.12.4.2; the patch is included in version 23.12.4.2. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
MindsDB Vulnerable to Bypass of SSRF Protection with DNS Rebinding
osv·2024-09-05
CVE-2024-24759 [HIGH] MindsDB Vulnerable to Bypass of SSRF Protection with DNS Rebinding
MindsDB Vulnerable to Bypass of SSRF Protection with DNS Rebinding
### Summary
DNS rebinding is a method of manipulating resolution of domain names to let the initial DNS query hits an address and the second hits another one. For instance the host `make-190.119.176.200-rebind-127.0.0.1-rr.1u.ms` would be initially resolved to `190.119.176.200` and the next DNS issue to `127.0.0.1`. Please notice the following in the latest codebase:
```python
def is_private_url(url: str):
"""
Raises exception if url is private
:param url: url to check
"""
hostname = urlparse(url).hostname
if not hostname:
# Unable to find hostname in url
return True
ip = socket.gethostbyname(hostname)
return ipaddress.ip_address(ip).is_private
```
As you can see, during the call to `is_private_url()` the initial DNS
GHSA
MindsDB Vulnerable to Bypass of SSRF Protection with DNS Rebinding
ghsa·2024-09-05
CVE-2024-24759 [HIGH] CWE-350 MindsDB Vulnerable to Bypass of SSRF Protection with DNS Rebinding
MindsDB Vulnerable to Bypass of SSRF Protection with DNS Rebinding
### Summary
DNS rebinding is a method of manipulating resolution of domain names to let the initial DNS query hits an address and the second hits another one. For instance the host `make-190.119.176.200-rebind-127.0.0.1-rr.1u.ms` would be initially resolved to `190.119.176.200` and the next DNS issue to `127.0.0.1`. Please notice the following in the latest codebase:
```python
def is_private_url(url: str):
"""
Raises exception if url is private
:param url: url to check
"""
hostname = urlparse(url).hostname
if not hostname:
# Unable to find hostname in url
return True
ip = socket.gethostbyname(hostname)
return ipaddress.ip_address(ip).is_private
```
As you can see, during the call to `is_private_url()` the initial DNS
OSV
CVE-2024-24759: MindsDB is a platform for building artificial intelligence from enterprise data
osv·2024-09-05
CVE-2024-24759 CVE-2024-24759: MindsDB is a platform for building artificial intelligence from enterprise data
MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 23.12.4.2, a threat actor can bypass the server-side request forgery protection on the whole website with DNS Rebinding. The vulnerability can also lead to denial of service. Version 23.12.4.2 contains a patch.
No detection rules found.
Nuclei
MindsDB -DNS Rebinding SSRF Protection Bypass
nuclei·CVSS 9.1
CVE-2024-24759 [CRITICAL] MindsDB -DNS Rebinding SSRF Protection Bypass
MindsDB -DNS Rebinding SSRF Protection Bypass
Detects DNS rebinding vulnerability that allows bypass of SSRF protection. The vulnerability exists in the URL validation mechanism where DNS resolution is performed without considering DNS rebinding attacks.
Template:
id: CVE-2024-24759
info:
name: MindsDB -DNS Rebinding SSRF Protection Bypass
author: Lee Changhyun(eeche)
severity: high
description: |
Detects DNS rebinding vulnerability that allows bypass of SSRF protection. The vulnerability exists in the URL validation mechanism where DNS resolution is performed without considering DNS rebinding attacks.
impact: |
SSRF Protection Bypass via DNS Rebinding
remediation: |
Upgrade to mindsdb version 23.12.4.2 or later
reference:
- https://github.com/advisories/GHSA-4jcv-vp96-94xr
- https://n
No writeups or analysis indexed.
2024-09-05
Published