requests@0.6.2 vulnerabilities

Python HTTP for Humans.

Direct Vulnerabilities

Known vulnerabilities in the requests package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Always-Incorrect Control Flow Implementation

Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation when making requests through a Requests Session. An attacker can bypass certificate verification by making the first request with verify=False, causing all subsequent requests to ignore certificate verification regardless of changes to the verify value.

Notes:

  1. For requests <2.32.0, avoid setting verify=False for the first request to a host while using a Requests Session.

  2. For requests <2.32.0, call close() on Session objects to clear existing connections if verify=False is used.

  3. This vulnerability was initially fixed in version 2.32.0, which was yanked. Therefore, the next available fixed version is 2.32.2.

How to fix Always-Incorrect Control Flow Implementation?

Upgrade requests to version 2.32.2 or higher.

[,2.32.2)
  • H
Denial of Service (DoS)

Affected versions of this package are vulnerable to Denial of Service (DoS) due to incorrect password used in conjunction with digest authentication. This can lead to an infinite request retry cycle

How to fix Denial of Service (DoS)?

Upgrade requests to version 0.12.0 or higher.

[,0.12.0)
  • C
Information Exposure

Requests is a Non-GMO HTTP library for Python

Affected versions of this package are vulnerable to Information Exposure. Upon receiving a same-hostname https-to-http redirect, it sends the HTTP Authorization header to an http URI. This makes it easier for remote attackers to discover credentials by sniffing the network.

How to fix Information Exposure?

Upgrade request to version 2.20 or higher.

[,2.20)
  • M
Information Exposure

requests is a Python HTTP for Humans.

Affected versions of this package are vulnerable to Information Disclosure attacks. Remote servers may obtain sensitive information by reading the Proxy-Authorization header in a redirected request.

How to fix Information Exposure?

Upgrade to version 2.3.0 or greater.

[,2.3.0)
  • M
Information Exposure

requests is a Python HTTP for Humans.

Affected versions of this package are vulnerable to Information Exposure. Remote servers may obtain a netrc password by reading the Authorization header in a redirected request.

How to fix Information Exposure?

Upgrade to version 2.3.0 or greater.

[,2.3.0)
  • M
Denial of Service (DoS)

requests is a Python HTTP for Humans.

Affected versions of this package are vulnerable to Denial of Service attacks. Algorithmic complexity vulnerability in the ssl.match_hostname function in Python 3.2.x, 3.3.x, and earlier, and unspecified versions of python-backports-ssl_match_hostname as used for older Python versions, allows remote attackers to cause a denial of service (CPU consumption) via multiple wildcard characters in the common name in a certificate.

How to fix Denial of Service (DoS)?

Upgrade to version 1.1.0 or greater.

[,1.1.0)
  • M
Denial of Service (DoS)

requests is a Python HTTP for Humans.

Affected versions of this package are vulnerable to Denial of Service (DoS) attacks. When sending a digest with an incorrect password, it will retry the request for infinity. An attacker can send many of these requests, causing a denial of service.

[,1.2.3]