Vulnerability Description
Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://github.com/psf/requests/commit/a58d7f2ffb4d00b46dca2d70a3932a0b37e22fac
- https://github.com/psf/requests/pull/6655
- https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56
- https://lists.fedoraproject.org/archives/list/[email protected]
- https://lists.fedoraproject.org/archives/list/[email protected]
- https://github.com/psf/requests/commit/a58d7f2ffb4d00b46dca2d70a3932a0b37e22fac
- https://github.com/psf/requests/pull/6655
- https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56
- https://lists.fedoraproject.org/archives/list/[email protected]
- https://lists.fedoraproject.org/archives/list/[email protected]
FAQ
What is CVE-2024-35195?
CVE-2024-35195 is a vulnerability with a CVSS score of 5.6 (MEDIUM). Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests t...
How severe is CVE-2024-35195?
CVE-2024-35195 has been rated MEDIUM with a CVSS base score of 5.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-35195?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.