ByteOS Network

Vulnerability Details :

CVE-2023-38699

Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa

Published At-04 Aug, 2023 | 17:53

Updated At-03 Oct, 2024 | 18:11

MindsDB 'Call to requests with verify=False disabling SSL certificate checks, security issue.' issue

MindsDB's AI Virtual Database allows developers to connect any AI/ML model to any datasource. Prior to version 23.7.4.0, a call to requests with `verify=False` disables SSL certificate checks. This rule enforces always verifying SSL certificates for methods in the Requests library. In version 23.7.4.0, certificates are validated by default, which is the desired behavior.

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

▼Common Vulnerabilities and Exposures (CVE)

cve.org

Assigner:GitHub_M

Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa

Published At:04 Aug, 2023 | 17:53

Updated At:03 Oct, 2024 | 18:11

▼CVE Numbering Authority (CNA)

MindsDB 'Call to requests with verify=False disabling SSL certificate checks, security issue.' issue

Affected Products

Vendor

mindsdb

Product

mindsdb

Versions

Affected

< 23.7.4.0

Problem Types

Type	CWE ID	Description
CWE	CWE-311	CWE-311: Missing Encryption of Sensitive Data

Type: CWE

CWE ID: CWE-311

Description: CWE-311: Missing Encryption of Sensitive Data

Metrics

Version	Base score	Base severity	Vector
3.1	9.1	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Version: 3.1

Base score: 9.1

Base severity: CRITICAL

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

Hyperlink	Resource
https://github.com/mindsdb/mindsdb/security/advisories/GHSA-8hx6-qv6f-xgcw	x_refsource_CONFIRM
https://github.com/mindsdb/mindsdb/commit/083afcf6567cf51aa7d89ea892fd97689919053b	x_refsource_MISC
https://github.com/mindsdb/mindsdb/releases/tag/v23.7.4.0	x_refsource_MISC

Hyperlink: https://github.com/mindsdb/mindsdb/security/advisories/GHSA-8hx6-qv6f-xgcw

Resource:

x_refsource_CONFIRM

Hyperlink: https://github.com/mindsdb/mindsdb/commit/083afcf6567cf51aa7d89ea892fd97689919053b

Resource:

x_refsource_MISC

Hyperlink: https://github.com/mindsdb/mindsdb/releases/tag/v23.7.4.0

Resource:

x_refsource_MISC

▼Authorized Data Publishers (ADP)

1. CVE Program Container

References

Hyperlink	Resource
https://github.com/mindsdb/mindsdb/security/advisories/GHSA-8hx6-qv6f-xgcw	x_refsource_CONFIRM x_transferred
https://github.com/mindsdb/mindsdb/commit/083afcf6567cf51aa7d89ea892fd97689919053b	x_refsource_MISC x_transferred
https://github.com/mindsdb/mindsdb/releases/tag/v23.7.4.0	x_refsource_MISC x_transferred

Hyperlink: https://github.com/mindsdb/mindsdb/security/advisories/GHSA-8hx6-qv6f-xgcw

Resource:

x_refsource_CONFIRM

x_transferred

Hyperlink: https://github.com/mindsdb/mindsdb/commit/083afcf6567cf51aa7d89ea892fd97689919053b

Resource:

x_refsource_MISC

x_transferred

Hyperlink: https://github.com/mindsdb/mindsdb/releases/tag/v23.7.4.0

Resource:

x_refsource_MISC

x_transferred

2. CISA ADP Vulnrichment

Affected Products

Vendor

mindsdb

Product

mindsdb

CPEs

cpe:2.3:a:mindsdb:mindsdb:*:*:*:*:*:*:*:*

Default Status

unknown

Versions

Affected

From 0 before 23.7.4.0 (custom)

Metrics Other Info

▼National Vulnerability Database (NVD)

nvd.nist.gov

Source:security-advisories@github.com

Published At:04 Aug, 2023 | 18:15

Updated At:10 Aug, 2023 | 15:25

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.1	6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Secondary	3.1	9.1	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Type: Primary

Version: 3.1

Base score: 6.5

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Type: Secondary

Version: 3.1

Base score: 9.1

Base severity: CRITICAL

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CPE Matches

mindsdb>>mindsdb>>Versions before 23.7.4.0(exclusive)

cpe:2.3:a:mindsdb:mindsdb:*:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-311	Primary	security-advisories@github.com

CWE ID: CWE-311

Type: Primary

Source: security-advisories@github.com

References

Hyperlink	Source	Resource
https://github.com/mindsdb/mindsdb/commit/083afcf6567cf51aa7d89ea892fd97689919053b	security-advisories@github.com	Patch
https://github.com/mindsdb/mindsdb/releases/tag/v23.7.4.0	security-advisories@github.com	Release Notes
https://github.com/mindsdb/mindsdb/security/advisories/GHSA-8hx6-qv6f-xgcw	security-advisories@github.com	Vendor Advisory

Hyperlink: https://github.com/mindsdb/mindsdb/commit/083afcf6567cf51aa7d89ea892fd97689919053b

Source: security-advisories@github.com

Resource:

Patch

Hyperlink: https://github.com/mindsdb/mindsdb/releases/tag/v23.7.4.0

Source: security-advisories@github.com

Resource:

Release Notes

Hyperlink: https://github.com/mindsdb/mindsdb/security/advisories/GHSA-8hx6-qv6f-xgcw

Source: security-advisories@github.com

Resource:

Vendor Advisory

CVE-2023-38699

Credits

MindsDB 'Call to requests with verify=False disabling SSL certificate checks, security issue.' issue

Vendors

Products

Metrics (CVSS)

Weaknesses

Attack Patterns

Solution/Workaround

References

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

Stakeholder-Specific Vulnerability Categorization (SSVC)

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Affected

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History

Similar CVEs