AVID-2026-R1266

Description

MindsDB ‘Call to requests with verify=False disabling SSL certificate checks, security issue.’ issue (CVE-2023-38699)

Details

MindsDB’s AI Virtual Database allows developers to connect any AI/ML model to any datasource. Prior to version 23.7.4.0, a call to requests with verify=False disables SSL certificate checks. This rule enforces always verifying SSL certificates for methods in the Requests library. In version 23.7.4.0, certificates are validated by default, which is the desired behavior.

Reason for inclusion in AVID: The CVE describes a vulnerability in MindsDB’s AI stack (AI Virtual Database) where a call to requests with verify=False disables SSL certificate checks prior to version 23.7.4.0. This directly affects software used in AI data pipelines and model deployment/serving, enabling potential eavesdropping or tampering during data source communication. Since the issue is a software vulnerability in a component commonly used to build/run general-purpose AI systems, it constitutes a software supply-chain risk for AI stacks. The report provides explicit evidence (CVE ID, description, fix version) and references, supporting its relevance and severity.

References

• NVD entry
• https://github.com/mindsdb/mindsdb/security/advisories/GHSA-8hx6-qv6f-xgcw
• https://github.com/mindsdb/mindsdb/commit/083afcf6567cf51aa7d89ea892fd97689919053b
• https://github.com/mindsdb/mindsdb/releases/tag/v23.7.4.0

Affected or Relevant Artifacts

• Developer: mindsdb
• Deployer: mindsdb
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2023-08-04
• Version: 0.3.3
• AVID Entry