Guest users in the Mage AI framework that remain logged in after their accounts are deleted, are mistakenly given high privileges and specifically given access to remotely execute arbitrary code through the Mage AI terminal server
History

Mon, 25 Nov 2024 13:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-613

Fri, 23 Aug 2024 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Mage
Mage mage-ai
Weaknesses CWE-266
CPEs cpe:2.3:a:mage:mage-ai:*:*:*:*:*:python:*:*
Vendors & Products Mage
Mage mage-ai
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 23 Aug 2024 19:15:00 +0000

Type Values Removed Values Added
Description Guest users in the Mage AI framework that remain logged in after their accounts are deleted, are mistakenly given high privileges and specifically given access to remotely execute arbitrary code through the Mage AI terminal server
Title Mage AI allows deleted users to use the terminal server with admin access, leading to remote code execution
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: JFROG

Published: 2024-08-23T18:58:59.693Z

Updated: 2024-11-25T12:40:10.567Z

Reserved: 2024-08-22T07:56:35.555Z

Link: CVE-2024-45187

cve-icon Vulnrichment

Updated: 2024-08-23T19:24:31.356Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-08-23T19:15:07.077

Modified: 2024-11-25T13:15:06.577

Link: CVE-2024-45187

cve-icon Redhat

No data.