Missing Encryption of Sensitive Data
CVE-2023-38699
Summary
MindsDB's AI Virtual Database allows developers to connect any AI/ML model to any data source. In versions prior to 23.7.4.0, a call to requests with `verify=False` disables SSL certificate checks. This rule enforces always verifying SSL certificates for methods in the Requests library. In the patched versions, certificates are validated by default, which is the desired behavior.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- LOW
- HIGH
- NONE
CWE-311 - Missing Encryption of Sensitive Data
The software does not encrypt sensitive or critical information before storage or transmission.
References
Advisory Timeline
- Published