Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05d3g0LWg3OHYtdm01Ns4AA8WK
Requests `Session` object does not verify requests after making first request with verify=False
When making requests through a Requests Session, if the first request is made with verify=False to disable cert verification, all subsequent requests to the same origin will continue to ignore cert verification regardless of changes to the value of verify. This behavior will continue for the lifecycle of the connection in the connection pool.
Remediation
Any of these options can be used to remediate the current issue, we highly recommend upgrading as the preferred mitigation.
- Upgrade to
requests>=2.32.0. - For
requests<2.32.0, avoid settingverify=Falsefor the first request to a host while using a Requests Session. - For
requests<2.32.0, callclose()onSessionobjects to clear existing connections ifverify=Falseis used.
Related Links
Permalink: https://github.com/advisories/GHSA-9wx4-h78v-vm56JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05d3g0LWg3OHYtdm01Ns4AA8WK
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 6 months ago
Updated: 6 months ago
CVSS Score: 5.6
CVSS vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N
Identifiers: GHSA-9wx4-h78v-vm56, CVE-2024-35195
References:
- https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56
- https://github.com/psf/requests/pull/6655
- https://github.com/psf/requests/commit/a58d7f2ffb4d00b46dca2d70a3932a0b37e22fac
- https://nvd.nist.gov/vuln/detail/CVE-2024-35195
- https://lists.fedoraproject.org/archives/list/[email protected]/message/IYLSNK5TL46Q6XPRVMHVWS63MVJQOK4Q
- https://lists.fedoraproject.org/archives/list/[email protected]/message/N7WP6EYDSUOCOJYHDK5NX43PYZ4SNHGZ
- https://github.com/advisories/GHSA-9wx4-h78v-vm56
Blast Radius: 32.7
Affected Packages
pypi:requests
Dependent packages: 32,025Dependent repositories: 679,836
Downloads: 555,501,361 last month
Affected Version Ranges: < 2.32.0
Fixed in: 2.32.0
All affected versions: 0.0.1, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.4.0, 0.4.1, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.6, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.8.6, 0.8.7, 0.8.8, 0.8.9, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.10.4, 0.10.6, 0.10.7, 0.10.8, 0.11.1, 0.11.2, 0.12.0, 0.12.1, 0.12.1, 0.13.0, 0.13.1, 0.13.2, 0.13.3, 0.13.4, 0.13.5, 0.13.6, 0.13.7, 0.13.8, 0.13.9, 0.14.0, 0.14.1, 0.14.2, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.8.0, 2.8.1, 2.9.0, 2.9.1, 2.9.2, 2.10.0, 2.11.0, 2.11.1, 2.12.0, 2.12.1, 2.12.2, 2.12.3, 2.12.4, 2.12.5, 2.13.0, 2.14.0, 2.14.1, 2.14.2, 2.15.0, 2.15.1, 2.16.0, 2.16.1, 2.16.2, 2.16.3, 2.16.4, 2.16.5, 2.17.0, 2.17.1, 2.17.2, 2.17.3, 2.18.0, 2.18.1, 2.18.2, 2.18.3, 2.18.4, 2.19.0, 2.19.1, 2.20.0, 2.20.1, 2.21.0, 2.22.0, 2.23.0, 2.24.0, 2.25.0, 2.25.1, 2.26.0, 2.27.0, 2.27.1, 2.28.0, 2.28.1, 2.28.2, 2.29.0, 2.30.0, 2.31.0
All unaffected versions: 2.32.0, 2.32.1, 2.32.2, 2.32.3