CVE-2023-38699: MindsDB can be made to not verify SSL certificates
9.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.27318%
CWE
Published
8/1/2023
Updated
11/10/2023
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| MindsDB | pip | < 23.7.4.0 | 23.7.4.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability was explicitly patched by removing the 'verify=False' parameter from a requests.post call in dremio_handler.py. The commit diff shows this security-sensitive parameter was present in the connect method of DremioHandler prior to the fix. This matches the CVE description about disabled certificate validation, and the file/line modification is clearly identified in the provided vulnerability data.