Vulnerability Description
MindsDB's AI Virtual Database allows developers to connect any AI/ML model to any datasource. Prior to version 23.7.4.0, a call to requests with `verify=False` disables SSL certificate checks. This rule enforces always verifying SSL certificates for methods in the Requests library. In version 23.7.4.0, certificates are validated by default, which is the desired behavior.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mindsdb | Mindsdb | < 23.7.4.0 |
Related Weaknesses (CWE)
References
- https://github.com/mindsdb/mindsdb/commit/083afcf6567cf51aa7d89ea892fd9768991905Patch
- https://github.com/mindsdb/mindsdb/releases/tag/v23.7.4.0Release Notes
- https://github.com/mindsdb/mindsdb/security/advisories/GHSA-8hx6-qv6f-xgcwVendor Advisory
- https://github.com/mindsdb/mindsdb/commit/083afcf6567cf51aa7d89ea892fd9768991905Patch
- https://github.com/mindsdb/mindsdb/releases/tag/v23.7.4.0Release Notes
- https://github.com/mindsdb/mindsdb/security/advisories/GHSA-8hx6-qv6f-xgcwVendor Advisory
FAQ
What is CVE-2023-38699?
CVE-2023-38699 is a vulnerability with a CVSS score of 9.1 (CRITICAL). MindsDB's AI Virtual Database allows developers to connect any AI/ML model to any datasource. Prior to version 23.7.4.0, a call to requests with `verify=False` disables SSL certificate checks. This ru...
How severe is CVE-2023-38699?
CVE-2023-38699 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2023-38699?
Check the references section above for vendor advisories and patch information. Affected products include: Mindsdb Mindsdb.