CVE-2023-48054

# Cryptographic API Misuse Vulnerability : Missing SSL Certificate Validation > Do not use unverified hostname or certificates in connection ### Description: In the localstack v 2.3.2 there are sections where SSL certificate validation appears to be missing. Proper SSL certificate validation is a cornerstone of secure communication over HTTPS, and its absence can lead to severe security risks such as Man-In-The-Middle (MITM) attacks. In particular, the code does not enforce hostname verification or certificate validation. ### Affected Version v2.3.2 ### Location: https://github.com/localstack/localstack/blob/master/localstack/services/opensearch/cluster.py#L396 https://github.com/localstack/localstack/blob/master/localstack/services/opensearch/cluster.py#L56 ### Reference - CWE-295: Improper Certificate Validation - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor - CWE-319: Cleartext Transmission of Sensitive Information ### Expected Behavior: The expected behavior for any HTTPS connection is that the client should validate the SSL certificate provided by the server to ensure it is trusted, not expired, and matches the requested hostname. ### Actual Behavior: The actual behavior observed in the code indicates that SSL certificate validation may not be properly enforced. ### Recommendation - Set get request `verify=True` ,it will do ssl certificate validation. Due to the sensitive nature of data transmitted over HTTPS, it is imperative to address this vulnerability promptly to maintain the integrity and confidentiality of communication for users.