MindsDB 'Call to requests with verify=False disabling SSL certificate checks, security issue.' issue
CVE-2023-38699

9.1CRITICAL

Key Information:

Vendor: Mindsdb
Status: Mindsdb
Vendor: CVE Published:; 4 August 2023

What is CVE-2023-38699?

The MindsDB AI Virtual Database, a tool for integrating AI/ML models with various data sources, previously allowed connections with SSL certificates disabled by default. This vulnerability, affecting versions prior to 23.7.4.0, could expose applications to man-in-the-middle attacks, as the Requests library accepted connections without verifying SSL certificates. The recent update to version 23.7.4.0 addresses this issue by enforcing SSL certificate checks, ensuring secure data transactions.

Affected Version(s)

mindsdb < 23.7.4.0

References

https://github.com/mindsdb/mindsdb/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/mindsdb/mindsdb/commit/083afcf6567cf51...

x_refsource_MISC

https://github.com/mindsdb/mindsdb/releases/tag/v23.7.4.0

x_refsource_MISC

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 4, 2023
Vulnerability Reserved
Jul 24, 2023

Mindsdb

What is CVE-2023-38699?

Affected Version(s)

References

CVSS V3.1

Timeline