CVE-2023-38699 – mindsdb

Package

Manager: pip
Name: mindsdb
Vulnerable Version: >=0 <23.7.4.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00093 pctl0.27111

Details

MindsDB can be made to not verify SSL certificates ### Summary MindsDB's AI Virtual Database allows developers to connect any AI/ML model to any datasource. Prior to version 23.7.4.0, a call to requests with `verify=False` disables SSL certificate checks. This rule enforces always verifying SSL certificates for methods in the Requests library. In version 23.7.4.0, certificates are validated by default, which is the desired behavior Encryption in general is typically critical to the security of many applications. Using TLS can significantly increase security by guaranteeing the identity of the party you are communicating with. This is accomplished by one or both parties presenting trusted certificates during the connection initialization phase of TLS. It is important to note that modules such as httplib within the Python standard library did not verify certificate chains until it was fixed in 2.7.9 release. ### Details Severity: Critical

Metadata

Created: 2023-08-01T19:55:14Z
Modified: 2023-08-10T21:56:51Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-8hx6-qv6f-xgcw/GHSA-8hx6-qv6f-xgcw.json
CWE IDs: ["CWE-311"]
Alternative ID: GHSA-8hx6-qv6f-xgcw
Finding: F020
Auto approve: 1