CVE-2023-38699: Missing Encryption of Sensitive Data

August 4, 2023 (updated August 10, 2023)

MindsDB’s AI Virtual Database allows developers to connect any AI/ML model to any datasource. Prior to version 23.7.4.0, a call to requests with verify=False disables SSL certificate checks. This rule enforces always verifying SSL certificates for methods in the Requests library. In version 23.7.4.0, certificates are validated by default, which is the desired behavior.

References

github.com/mindsdb/mindsdb/commit/083afcf6567cf51aa7d89ea892fd97689919053b
github.com/mindsdb/mindsdb/releases/tag/v23.7.4.0
github.com/mindsdb/mindsdb/security/advisories/GHSA-8hx6-qv6f-xgcw
nvd.nist.gov/vuln/detail/CVE-2023-38699

Code Behaviors & Features

Detect and mitigate CVE-2023-38699 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →