CVE-2024-35195
Public on 2024-05-20
Modified on 2024-05-21
Description
Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0.
Severity
Medium
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 1 | aws-cfn-bootstrap | No Fix Planned | ||
| Amazon Linux 2 - Core | aws-cfn-bootstrap | 2024-10-10 | ALAS2-2024-2654 | Fixed |
| Amazon Linux 2023 | aws-cfn-bootstrap | 2024-10-10 | ALAS2023-2024-732 | Fixed |
| Amazon Linux 1 | python-pip | No Fix Planned | ||
| Amazon Linux 2 - Core | python-pip | Pending Fix | ||
| Amazon Linux 2023 | python-pip | Pending Fix | ||
| Amazon Linux 2 - Core | python-requests | Pending Fix | ||
| Amazon Linux 2023 | python-requests | Pending Fix | ||
| Amazon Linux 2 - Core | python3-requests | Pending Fix | ||
| Amazon Linux 2023 | python3.11-pip | Pending Fix | ||
| Amazon Linux 2 - Python3.8 Extra | python38-pip | Pending Fix |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 6.5 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N |
| NVD | CVSSv3 | 5.6 | CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N |