Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-8hx6-qv6f-xgcw

GitHub Security Advisory

MindsDB can be made to not verify SSL certificates

✓ GitHub Reviewed CRITICAL Has CVE
View on GitHub

Advisory Details

### Summary
MindsDB's AI Virtual Database allows developers to connect any AI/ML model to any datasource. Prior to version 23.7.4.0, a call to requests with `verify=False` disables SSL certificate checks. This rule enforces always verifying SSL certificates for methods in the Requests library. In version 23.7.4.0, certificates are validated by default, which is the desired behavior

Encryption in general is typically critical to the security of many applications. Using TLS can significantly increase security by guaranteeing the identity of the party you are communicating with. This is accomplished by one or both parties presenting trusted certificates during the connection initialization phase of TLS.

It is important to note that modules such as httplib within the Python standard library did not verify certificate chains until it was fixed in 2.7.9 release.

### Details
Severity: Critical

Affected Packages

PyPI MindsDB
Affected versions: 0 (fixed in 23.7.4.0)

Related CVEs

CVE-2023-38699

Key Information

GHSA ID
GHSA-8hx6-qv6f-xgcw
Published
August 1, 2023 7:55 PM
Last Modified
August 10, 2023 9:56 PM
CVSS Score
9.0 /10
Primary Ecosystem
PyPI
Primary Package
MindsDB
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 12, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.