PT-2024-6103 · Pypi+10 · Requests+10
Mikeassel
·
Published
2024-05-20
·
Updated
2026-06-03
·
CVE-2024-35195
CVSS v3.1
5.6
Medium
| Vector | AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Requests versions prior to 2.32.0
Description
The issue is related to the incorrect implementation of control flow in the Python Requests library, which can allow an attacker to access confidential data. When making requests through a Requests Session, if the first request is made with
verify=False to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of verify. This behavior will continue for the lifecycle of the connection in the connection pool.Recommendations
- Upgrade to version 2.32.0 or later.
- For versions prior to 2.32.0, avoid setting
verify=Falsefor the first request to a host while using a Requests Session. - For versions prior to 2.32.0, call
close()on Session objects to clear existing connections ifverify=Falseis used.
Exploit
Fix
DoS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Almalinux
Astra Linux
Centos
Debian
Linuxmint
Red Hat
Red Os
Requests
Rocky Linux
Suse
Ubuntu