Skip to main content

Missing Encryption of Sensitive Data

CVE-2023-38699

Severity Medium
Score 6.5/10

Summary

MindsDB's AI Virtual Database allows developers to connect any AI/ML model to any data source. In versions prior to 23.7.4.0, a call to requests with `verify=False` disables SSL certificate checks. This rule enforces always verifying SSL certificates for methods in the Requests library. In the patched versions, certificates are validated by default, which is the desired behavior.

  • LOW
  • NETWORK
  • NONE
  • UNCHANGED
  • NONE
  • LOW
  • HIGH
  • NONE

CWE-311 - Missing Encryption of Sensitive Data

The software does not encrypt sensitive or critical information before storage or transmission.

Advisory Timeline

  • Published