5.6 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N
6.4 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.6%
Requests is a HTTP library. Prior to 2.32.0, when making requests through a
Requests Session
, if the first request is made with verify=False
to
disable cert verification, all subsequent requests to the same host will
continue to ignore cert verification regardless of changes to the value of
verify
. This behavior will continue for the lifecycle of the connection
in the connection pool. This vulnerability is fixed in 2.32.0.
Author | Note |
---|---|
mdeslaur | On focal and earlier, the python-pip package bundles requests binaries when built. After updating requests, a no-change rebuild of python-pip is required. On jammy and later, requests is bundled in the python-pip package and needs to be patched. The fix for this issue introduced regressions in certain other applications, such as docker. See https://github.com/docker/docker-py/pull/3257 and resulted in 2.32.0 and 2.32.1 in being yanked, see: https://pypi.org/project/requests/#history Marking as deferred until a better strategy to addres this issue can be determined. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | python-pip | < any | UNKNOWN |
ubuntu | 20.04 | noarch | python-pip | < any | UNKNOWN |
ubuntu | 22.04 | noarch | python-pip | < any | UNKNOWN |
ubuntu | 23.10 | noarch | python-pip | < any | UNKNOWN |
ubuntu | 24.04 | noarch | python-pip | < any | UNKNOWN |
ubuntu | 14.04 | noarch | python-pip | < any | UNKNOWN |
ubuntu | 16.04 | noarch | python-pip | < any | UNKNOWN |
ubuntu | 18.04 | noarch | requests | < any | UNKNOWN |
ubuntu | 20.04 | noarch | requests | < any | UNKNOWN |
ubuntu | 22.04 | noarch | requests | < any | UNKNOWN |
5.6 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N
6.4 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.6%