GHSA-8HX6-QV6F-XGCW
Vulnerability from github – Published: 2023-08-01 19:55 – Updated: 2023-08-10 21:56Summary
MindsDB's AI Virtual Database allows developers to connect any AI/ML model to any datasource. Prior to version 23.7.4.0, a call to requests with verify=False disables SSL certificate checks. This rule enforces always verifying SSL certificates for methods in the Requests library. In version 23.7.4.0, certificates are validated by default, which is the desired behavior
Encryption in general is typically critical to the security of many applications. Using TLS can significantly increase security by guaranteeing the identity of the party you are communicating with. This is accomplished by one or both parties presenting trusted certificates during the connection initialization phase of TLS.
It is important to note that modules such as httplib within the Python standard library did not verify certificate chains until it was fixed in 2.7.9 release.
Details
Severity: Critical
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "MindsDB"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "23.7.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-38699"
],
"database_specific": {
"cwe_ids": [
"CWE-311"
],
"github_reviewed": true,
"github_reviewed_at": "2023-08-01T19:55:14Z",
"nvd_published_at": "2023-08-04T18:15:15Z",
"severity": "CRITICAL"
},
"details": "### Summary\nMindsDB\u0027s AI Virtual Database allows developers to connect any AI/ML model to any datasource. Prior to version 23.7.4.0, a call to requests with `verify=False` disables SSL certificate checks. This rule enforces always verifying SSL certificates for methods in the Requests library. In version 23.7.4.0, certificates are validated by default, which is the desired behavior\n\nEncryption in general is typically critical to the security of many applications. Using TLS can significantly increase security by guaranteeing the identity of the party you are communicating with. This is accomplished by one or both parties presenting trusted certificates during the connection initialization phase of TLS.\n\nIt is important to note that modules such as httplib within the Python standard library did not verify certificate chains until it was fixed in 2.7.9 release.\n\n### Details\nSeverity: Critical\n",
"id": "GHSA-8hx6-qv6f-xgcw",
"modified": "2023-08-10T21:56:51Z",
"published": "2023-08-01T19:55:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mindsdb/mindsdb/security/advisories/GHSA-8hx6-qv6f-xgcw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38699"
},
{
"type": "WEB",
"url": "https://github.com/mindsdb/mindsdb/commit/083afcf6567cf51aa7d89ea892fd97689919053b"
},
{
"type": "PACKAGE",
"url": "https://github.com/mindsdb/mindsdb"
},
{
"type": "WEB",
"url": "https://github.com/mindsdb/mindsdb/releases/tag/v23.7.4.0"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/mindsdb/PYSEC-2023-140.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "MindsDB can be made to not verify SSL certificates"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.