CVE-2024-35195 Affecting kubeflow-pipelines package, versions <2.2.0-r2
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-WOLFILATEST-KUBEFLOWPIPELINES-7216460
- published 6 Jun 2024
- disclosed 20 May 2024
Introduced: 20 May 2024
CVE-2024-35195 Open this link in a new tabHow to fix?
Upgrade Wolfi
kubeflow-pipelines
to version 2.2.0-r2 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream kubeflow-pipelines
package and not the kubeflow-pipelines
package as distributed by Wolfi
.
See How to fix?
for Wolfi
relevant fixed versions and status.
Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests Session
, if the first request is made with verify=False
to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of verify
. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0.
References
- https://github.com/psf/requests/commit/a58d7f2ffb4d00b46dca2d70a3932a0b37e22fac
- https://github.com/psf/requests/pull/6655
- https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IYLSNK5TL46Q6XPRVMHVWS63MVJQOK4Q/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N7WP6EYDSUOCOJYHDK5NX43PYZ4SNHGZ/