Guest users in the Mage AI framework that remain logged in after their accounts are deleted, are mistakenly given high privileges and specifically given access to remotely execute arbitrary code through the Mage AI terminal server
Metrics
Affected Vendors & Products
References
History
Mon, 25 Nov 2024 13:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Weaknesses | CWE-613 |
Fri, 23 Aug 2024 20:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Mage
Mage mage-ai |
|
Weaknesses | CWE-266 | |
CPEs | cpe:2.3:a:mage:mage-ai:*:*:*:*:*:python:*:* | |
Vendors & Products |
Mage
Mage mage-ai |
|
Metrics |
ssvc
|
Fri, 23 Aug 2024 19:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Guest users in the Mage AI framework that remain logged in after their accounts are deleted, are mistakenly given high privileges and specifically given access to remotely execute arbitrary code through the Mage AI terminal server | |
Title | Mage AI allows deleted users to use the terminal server with admin access, leading to remote code execution | |
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: JFROG
Published: 2024-08-23T18:58:59.693Z
Updated: 2024-11-25T12:40:10.567Z
Reserved: 2024-08-22T07:56:35.555Z
Link: CVE-2024-45187
Vulnrichment
Updated: 2024-08-23T19:24:31.356Z
NVD
Status : Awaiting Analysis
Published: 2024-08-23T19:15:07.077
Modified: 2024-11-25T13:15:06.577
Link: CVE-2024-45187
Redhat
No data.