CVE-2023-38699

Name of the Vulnerable Software and Affected Versions MindsDB versions prior to 23.7.4.0

Description The issue concerns the MindsDB's AI Virtual Database, which allows developers to connect any AI/ML model to any datasource. Prior to version 23.7.4.0, a call to requests with verify=False disables SSL certificate checks. This behavior can compromise the security of applications by not guaranteeing the identity of the party being communicated with. Using TLS can significantly increase security by presenting trusted certificates during the connection initialization phase.

Recommendations For versions prior to 23.7.4.0, update to version 23.7.4.0 or later, where certificates are validated by default. As a temporary workaround, consider setting verify=True for all requests to ensure SSL certificate checks are enabled. Restrict access to the Requests library until the update is applied to minimize the risk of exploitation.