Homepage
About Snyk

Always-Incorrect Control Flow Implementation Affecting requests package, versions [,2.32.2)

Severity

 Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.05% (17th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-REQUESTS-6928867
  • published 21 May 2024
  • disclosed 20 May 2024
  • credit Mike Assel
Report a new vulnerability Found a mistake?

Introduced: 20 May 2024

CVE-2024-35195 Open this link in a new tab
CWE-670 Open this link in a new tab

How to fix?

Upgrade requests to version 2.32.2 or higher.

Overview

Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation when making requests through a Requests Session. An attacker can bypass certificate verification by making the first request with verify=False, causing all subsequent requests to ignore certificate verification regardless of changes to the verify value.

Notes:

  1. For requests <2.32.0, avoid setting verify=False for the first request to a host while using a Requests Session.

  2. For requests <2.32.0, call close() on Session objects to clear existing connections if verify=False is used.

  3. This vulnerability was initially fixed in version 2.32.0, which was yanked. Therefore, the next available fixed version is 2.32.2.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
5.6 medium
  • Attack Vector (AV)
    Local
  • Attack Complexity (AC)
    High
  • Privileges Required (PR)
    High
  • User Interaction (UI)
    Required
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    None
Expand this section

Red Hat

5.6 medium
Expand this section

SUSE

6 medium