9.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-38699

GHSA ID

GHSA-8hx6-qv6f-xgcw

EPSS Score

0.27318%

CWE

CWE-311

Published

8/1/2023

Updated

11/10/2023

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-38699

CVE-2023-38699: MindsDB can be made to not verify SSL certificates

Summary

MindsDB's AI Virtual Database allows developers to connect any AI/ML model to any datasource. Prior to version 23.7.4.0, a call to requests with verify=False disables SSL certificate checks. This rule enforces always verifying SSL certificates for methods in the Requests library. In version 23.7.4.0, certificates are validated by default, which is the desired behavior

Encryption in general is typically critical to the security of many applications. Using TLS can significantly increase security by guaranteeing the identity of the party you are communicating with. This is accomplished by one or both parties presenting trusted certificates during the connection initialization phase of TLS.

It is important to note that modules such as httplib within the Python standard library did not verify certificate chains until it was fixed in 2.7.9 release.

Details

Severity: Critical

(GitHub Advisory)

9.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-38699

GHSA ID

GHSA-8hx6-qv6f-xgcw

EPSS Score

0.27318%

CWE

CWE-311

Published

8/1/2023

Updated

11/10/2023

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
MindsDB	pip	< 23.7.4.0	23.7.4.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability was explicitly patched by removing the 'verify=False' parameter from a requests.post call in dremio_handler.py. The commit diff shows this security-sensitive parameter was present in the connect method of DremioHandler prior to the fix. This matches the CVE description about disabled certificate validation, and the file/line modification is clearly identified in the provided vulnerability data.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry Min*s**'s *I Virtu*l **t***s* *llows **v*lop*rs to *onn**t *ny *I/ML mo**l to *ny **t*sour**. Prior to v*rsion **.*.*.*, * **ll to r*qu*sts wit* `v*ri*y=**ls*` *is**l*s SSL **rti*i**t* ****ks. T*is rul* *n*or**s *lw*ys v*ri*yin* SSL **rti

Reasoning

T** vuln*r**ility w*s *xpli*itly p*t**** *y r*movin* t** 'v*ri*y=**ls*' p*r*m*t*r *rom * `r*qu*sts.post` **ll in `*r*mio_**n*l*r.py`. T** *ommit *i** s*ows t*is s**urity-s*nsitiv* p*r*m*t*r w*s pr*s*nt in t** `*onn**t` m*t*o* o* `*r*mio**n*l*r` prior

9.1

Basic Information

Concerned about an active attack path?

CVE-2023-38699: MindsDB can be made to not verify SSL certificates

Summary

Details

9.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI