CVE-2023-38699 – MindsDB versions before 23.7.4.0 had disabled S... (How to Fix)

📋 TL;DR

MindsDB versions before 23.7.4.0 had disabled SSL certificate verification in requests, allowing man-in-the-middle attacks to intercept and potentially modify data between MindsDB and external data sources. This affects all users of MindsDB who connect to external data sources over HTTPS.

💻 Affected Systems

Products:

MindsDB

Versions: All versions before 23.7.4.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default configuration when making HTTPS requests to external data sources.

📦 What is this software?

Mindsdb by Mindsdb

View all CVEs affecting Mindsdb →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could intercept sensitive data (credentials, PII, proprietary data) being transmitted between MindsDB and external data sources, or inject malicious data/responses.

🟠

Likely Case

Data interception leading to information disclosure of whatever data MindsDB is processing from external sources.

🟢

If Mitigated

With proper SSL verification enabled, all HTTPS connections are properly authenticated and encrypted.

🌐 Internet-Facing: HIGH - Any MindsDB instance connecting to external internet resources over HTTPS is vulnerable to MITM attacks.

🏢 Internal Only: MEDIUM - Internal network MITM attacks are still possible but require internal network access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires network position to perform MITM attacks; no authentication bypass needed as this is a transport layer vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 23.7.4.0

Vendor Advisory: https://github.com/mindsdb/mindsdb/security/advisories/GHSA-8hx6-qv6f-xgcw

Restart Required: Yes

Instructions:

1. Update MindsDB to version 23.7.4.0 or later using pip: pip install --upgrade mindsdb>=23.7.4.0
2. Restart the MindsDB service/application
3. Verify SSL verification is enabled in all requests

🔧 Temporary Workarounds

Environment variable enforcement

linux

Set environment variable to enforce SSL verification for Python requests

export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt

Network segmentation

all

Isolate MindsDB instances from untrusted networks to reduce MITM risk

🧯 If You Can't Patch

Deploy network monitoring/IDS to detect MITM attempts on MindsDB traffic
Use VPNs or dedicated secure channels for all external data source connections

🔍 How to Verify

Check if Vulnerable:

Check MindsDB version: if version < 23.7.4.0, it's vulnerable. Also check if any custom code uses requests with verify=False.

Check Version:

python -c "import mindsdb; print(mindsdb.__version__)" or check package metadata

Verify Fix Applied:

After updating, test HTTPS connections to external sources fail with invalid certificates (as expected with proper SSL verification).

📡 Detection & Monitoring

Log Indicators:

Failed SSL handshakes after patching (expected)
Unusual external connection patterns

Network Indicators:

MITM detection via certificate validation failures
Unencrypted traffic where HTTPS expected

SIEM Query:

source="mindsdb" AND (event="connection_error" OR event="ssl_error")

📊 Metadata

CVE ID: CVE-2023-38699

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-311

Published: August 4, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/mindsdb/mindsdb/commit/083afcf6567cf51aa7d89ea892fd97689919053b Patch
https://github.com/mindsdb/mindsdb/releases/tag/v23.7.4.0 Release Notes
https://github.com/mindsdb/mindsdb/security/advisories/GHSA-8hx6-qv6f-xgcw Vendor Advisory
https://github.com/mindsdb/mindsdb/commit/083afcf6567cf51aa7d89ea892fd97689919053b Patch
https://github.com/mindsdb/mindsdb/releases/tag/v23.7.4.0 Release Notes
https://github.com/mindsdb/mindsdb/security/advisories/GHSA-8hx6-qv6f-xgcw Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-38699, you might also want to check these: