requests 0.10.7 vulnerabilities

Known vulnerabilities in the requests package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
M Insertion of Sensitive Information Into Sent Data Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data due to incorrect URL processing. An attacker could craft a malicious URL that, when processed by the library, tricks it into sending the victim's `.netrc` credentials to a server controlled by the attacker. Note: This is only exploitable if the `.netrc` file contains an entry for the hostname that the attacker includes in the crafted URL's "intended" part (e.g., `example.com` in `http://example.com:@evil.com/`). How to fix Insertion of Sensitive Information Into Sent Data? Upgrade `requests` to version 2.32.4 or higher.	[0,2.32.4)
M Always-Incorrect Control Flow Implementation Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation when making requests through a Requests `Session`. An attacker can bypass certificate verification by making the first request with `verify=False`, causing all subsequent requests to ignore certificate verification regardless of changes to the `verify` value. Notes: For requests <2.32.0, avoid setting `verify=False` for the first request to a host while using a Requests Session. For requests <2.32.0, call `close()` on Session objects to clear existing connections if `verify=False` is used. This vulnerability was initially fixed in version 2.32.0, which was yanked. Therefore, the next available fixed version is 2.32.2. How to fix Always-Incorrect Control Flow Implementation? Upgrade `requests` to version 2.32.2 or higher.	[,2.32.2)
H Denial of Service (DoS) Affected versions of this package are vulnerable to Denial of Service (DoS) due to incorrect password used in conjunction with digest authentication. This can lead to an infinite request retry cycle How to fix Denial of Service (DoS)? Upgrade `requests` to version 0.12.0 or higher.	[,0.12.0)
C Information Exposure Requests is a Non-GMO HTTP library for Python Affected versions of this package are vulnerable to Information Exposure. Upon receiving a same-hostname https-to-http redirect, it sends the HTTP Authorization header to an http URI. This makes it easier for remote attackers to discover credentials by sniffing the network. How to fix Information Exposure? Upgrade `request` to version 2.20 or higher.	[,2.20)
M Information Exposure `requests` is a Python HTTP for Humans. Affected versions of this package are vulnerable to Information Disclosure attacks. Remote servers may obtain sensitive information by reading the `Proxy-Authorization` header in a redirected request. How to fix Information Exposure? Upgrade to version `2.3.0` or greater.	[,2.3.0)
M Information Exposure `requests` is a Python HTTP for Humans. Affected versions of this package are vulnerable to Information Exposure. Remote servers may obtain a netrc password by reading the Authorization header in a redirected request. How to fix Information Exposure? Upgrade to version `2.3.0` or greater.	[,2.3.0)
M Denial of Service (DoS) `requests` is a Python HTTP for Humans. Affected versions of this package are vulnerable to Denial of Service attacks. Algorithmic complexity vulnerability in the `ssl.match_hostname` function in Python 3.2.x, 3.3.x, and earlier, and unspecified versions of `python-backports-ssl_match_hostname` as used for older Python versions, allows remote attackers to cause a denial of service (CPU consumption) via multiple wildcard characters in the common name in a certificate. How to fix Denial of Service (DoS)? Upgrade to version `1.1.0` or greater.	[,1.1.0)
M Denial of Service (DoS) `requests` is a Python HTTP for Humans. Affected versions of this package are vulnerable to Denial of Service (DoS) attacks. When sending a digest with an incorrect password, it will retry the request for infinity. An attacker can send many of these requests, causing a denial of service.	[,1.2.3]

Vulnerability

Vulnerable Version

Insertion of Sensitive Information Into Sent Data

Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data due to incorrect URL processing. An attacker could craft a malicious URL that, when processed by the library, tricks it into sending the victim's .netrc credentials to a server controlled by the attacker.

Note:

This is only exploitable if the .netrc file contains an entry for the hostname that the attacker includes in the crafted URL's "intended" part (e.g., example.com in http://example.com:@evil.com/).

How to fix Insertion of Sensitive Information Into Sent Data?

Upgrade requests to version 2.32.4 or higher.

[0,2.32.4)

Always-Incorrect Control Flow Implementation

Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation when making requests through a Requests Session. An attacker can bypass certificate verification by making the first request with verify=False, causing all subsequent requests to ignore certificate verification regardless of changes to the verify value.

Notes:

For requests <2.32.0, avoid setting verify=False for the first request to a host while using a Requests Session.
For requests <2.32.0, call close() on Session objects to clear existing connections if verify=False is used.
This vulnerability was initially fixed in version 2.32.0, which was yanked. Therefore, the next available fixed version is 2.32.2.

How to fix Always-Incorrect Control Flow Implementation?

Upgrade requests to version 2.32.2 or higher.

[,2.32.2)

Denial of Service (DoS)

Affected versions of this package are vulnerable to Denial of Service (DoS) due to incorrect password used in conjunction with digest authentication. This can lead to an infinite request retry cycle

How to fix Denial of Service (DoS)?

Upgrade requests to version 0.12.0 or higher.

[,0.12.0)

Information Exposure

Requests is a Non-GMO HTTP library for Python

Affected versions of this package are vulnerable to Information Exposure. Upon receiving a same-hostname https-to-http redirect, it sends the HTTP Authorization header to an http URI. This makes it easier for remote attackers to discover credentials by sniffing the network.

How to fix Information Exposure?

Upgrade request to version 2.20 or higher.

[,2.20)

Information Exposure

requests is a Python HTTP for Humans.

Affected versions of this package are vulnerable to Information Disclosure attacks. Remote servers may obtain sensitive information by reading the Proxy-Authorization header in a redirected request.

How to fix Information Exposure?

Upgrade to version 2.3.0 or greater.

[,2.3.0)

Information Exposure

requests is a Python HTTP for Humans.

Affected versions of this package are vulnerable to Information Exposure. Remote servers may obtain a netrc password by reading the Authorization header in a redirected request.

How to fix Information Exposure?

Upgrade to version 2.3.0 or greater.

[,2.3.0)

Denial of Service (DoS)

requests is a Python HTTP for Humans.

Affected versions of this package are vulnerable to Denial of Service attacks. Algorithmic complexity vulnerability in the ssl.match_hostname function in Python 3.2.x, 3.3.x, and earlier, and unspecified versions of python-backports-ssl_match_hostname as used for older Python versions, allows remote attackers to cause a denial of service (CPU consumption) via multiple wildcard characters in the common name in a certificate.

How to fix Denial of Service (DoS)?

Upgrade to version 1.1.0 or greater.

[,1.1.0)

Denial of Service (DoS)

requests is a Python HTTP for Humans.

Affected versions of this package are vulnerable to Denial of Service (DoS) attacks. When sending a digest with an incorrect password, it will retry the request for infinity. An attacker can send many of these requests, causing a denial of service.

[,1.2.3]

requests@0.10.7 vulnerabilities

Python HTTP for Humans.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?