cbcvebase.
CVE-2024-24759
published 2024-09-05

CVE-2024-24759: MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 23.12.4.2, a threat actor can bypass the server-side request…

PriorityP265critical9.1CVSS 3.1
AVNACLPRNUINSUCHINAH
EXPLOIT
EPSS
4.94%
91.1th percentile
MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 23.12.4.2, a threat actor can bypass the server-side request forgery protection on the whole website with DNS Rebinding. The vulnerability can also lead to denial of service. Version 23.12.4.2 contains a patch.

Affected

3 ranges
VendorProductVersion rangeFixed in
mindsdbmindsdb< 23.12.4.223.12.4.2
mindsdbmindsdb>= 0 < 23.12.4.223.12.4.2
mindsdbmindsdb>= 0 < 5f7496481bd3db1d06a2d2e62c0dce960a1fe12b5f7496481bd3db1d06a2d2e62c0dce960a1fe12b

Detection & IOCsextracted from sources · hover to see the quote

url/check_private_url?url=https://{{interactsh-url}}/
path/check_private_url
sigma
id: CVE-2024-24759
info:
  name: MindsDB -DNS Rebinding SSRF Protection Bypass
  author: Lee Changhyun(eeche)
  severity: high
http:
  - raw:
    - |
      GET /check_private_url?url=https://{{interactsh-url}}/ HTTP/1.1
      Host: {{Hostname}}
  matchers-condition: and
  matchers:
  - type: word
    part: interactsh_protocol
    words:
    - "http"
  • Probe for the vulnerable SSRF-check endpoint by sending a GET request to /check_private_url with an external (OAST/interactsh) URL as the `url` parameter; a successful DNS/HTTP callback to the interactsh server confirms the SSRF protection bypass via DNS rebinding.
  • First confirm the target is a MindsDB instance by checking that the response body contains the string 'mindsdb' (case-insensitive) before probing the vulnerable endpoint.
  • Use Shodan query `title:"mindsdb"` to identify exposed MindsDB instances that may be vulnerable.
  • Monitor for outbound DNS/HTTP callbacks originating from the MindsDB server process triggered by requests to /check_private_url — this indicates successful DNS rebinding exploitation of the SSRF protection bypass.
  • ·The Nuclei template uses a two-step flow (http(1) && http(2)): the first request validates the target is MindsDB before the SSRF probe is sent. Both steps must succeed for a confirmed finding.
  • ·Exploitation requires an out-of-band (OAST) interaction server (e.g., interactsh) to confirm the DNS rebinding bypass; passive/inline detection alone is insufficient.
  • ·The vulnerability affects MindsDB versions prior to 23.12.4.2; the patch is included in version 23.12.4.2.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.