Cyber Resilience

CVE-2024-24759

CriticalPublic PoC

Published: 05 September 2024

Published
05 September 2024
Modified
06 September 2024
KEV Added
Patch
CVSS Score v3.1 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
EPSS Score 0.8079 99.2th percentile
Risk Priority 67 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-24759 is a critical-severity SSRF (CWE-918) vulnerability in Mindsdb Mindsdb. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Other ATLAS/OWASP Terms risk domain; MITRE ATLAS techniques in scope: External Harms (AML.T0048).

Deeper analysis

MindsDB is an open-source platform for building AI models from enterprise data. Prior to version 23.12.4.2, the software was vulnerable to a server-side request forgery flaw (CWE-918) that could be bypassed through DNS rebinding attacks, allowing an attacker to circumvent existing SSRF protections across the application and potentially trigger denial-of-service conditions. The issue received a CVSS 3.1 score of 9.3, reflecting network-accessible exploitation with low attack complexity and no required credentials.

An unauthenticated remote attacker can exploit the weakness by sending crafted requests that leverage DNS rebinding to reach internal resources or services otherwise protected by the SSRF controls. Successful exploitation can result in disclosure of sensitive information from internal systems and limited availability impact through denial of service.

The official GitHub Security Advisory GHSA-4jcv-vp96-94xr and the corresponding patch commit confirm that upgrading to MindsDB 23.12.4.2 resolves the DNS rebinding bypass. The current EPSS score of 0.8079, with a recorded peak of 0.8279, indicates sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 23.12.4.2, a threat actor can bypass the server-side request forgery protection on the whole website with DNS Rebinding. The vulnerability can also lead to denial of…

more

service. Version 23.12.4.2 contains a patch.

CWE(s)

AI Security AnalysisAI

AI Category
Enterprise AI Assistants
Risk Domain
Other ATLAS/OWASP Terms
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
MindsDB is explicitly described as a platform for building artificial intelligence from enterprise data, aligning with Enterprise AI Assistants as it targets enterprise use cases for AI integration.

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499 Endpoint Denial of Service Impact
Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.
Why these techniques?

The vulnerability enables exploitation of a public-facing application via SSRF bypass with DNS Rebinding (T1190) and facilitates denial of service, likely through resource exhaustion (T1499).

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0048: External Harms

Affected Assets

mindsdb
mindsdb
≤ 23.12.4.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-918

Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.

addresses: CWE-918

Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.

addresses: CWE-918

Validates server-side URLs and resource references to block SSRF attempts.

addresses: CWE-918

Detects server-side request forgery through monitoring of unexpected outbound connections.

References