CVE-2024-35195

2024-05-2000:00:00

ubuntu.com

requests

http library

cert verification

vulnerability

connection pool

fix

cve-2024-35195

5.6 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N

6.4 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.6%

JSON

Requests is a HTTP library. Prior to 2.32.0, when making requests through a
Requests Session, if the first request is made with verify=False to
disable cert verification, all subsequent requests to the same host will
continue to ignore cert verification regardless of changes to the value of
verify. This behavior will continue for the lifecycle of the connection
in the connection pool. This vulnerability is fixed in 2.32.0.

Notes

Author	Note
mdeslaur	On focal and earlier, the python-pip package bundles requests binaries when built. After updating requests, a no-change rebuild of python-pip is required. On jammy and later, requests is bundled in the python-pip package and needs to be patched. The fix for this issue introduced regressions in certain other applications, such as docker. See https://github.com/docker/docker-py/pull/3257 and resulted in 2.32.0 and 2.32.1 in being yanked, see: https://pypi.org/project/requests/#history Marking as deferred until a better strategy to addres this issue can be determined.

Author

Note

mdeslaur

On focal and earlier, the python-pip package bundles requests binaries when built. After updating requests, a no-change rebuild of python-pip is required. On jammy and later, requests is bundled in the python-pip package and needs to be patched. The fix for this issue introduced regressions in certain other applications, such as docker. See https://github.com/docker/docker-py/pull/3257 and resulted in 2.32.0 and 2.32.1 in being yanked, see: https://pypi.org/project/requests/#history Marking as deferred until a better strategy to addres this issue can be determined.

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchpython-pip< anyUNKNOWN
ubuntu20.04noarchpython-pip< anyUNKNOWN
ubuntu22.04noarchpython-pip< anyUNKNOWN
ubuntu23.10noarchpython-pip< anyUNKNOWN
ubuntu24.04noarchpython-pip< anyUNKNOWN
ubuntu14.04noarchpython-pip< anyUNKNOWN
ubuntu16.04noarchpython-pip< anyUNKNOWN
ubuntu18.04noarchrequests< anyUNKNOWN
ubuntu20.04noarchrequests< anyUNKNOWN
ubuntu22.04noarchrequests< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	python-pip	< any	UNKNOWN
ubuntu	20.04	noarch	python-pip	< any	UNKNOWN
ubuntu	22.04	noarch	python-pip	< any	UNKNOWN
ubuntu	23.10	noarch	python-pip	< any	UNKNOWN
ubuntu	24.04	noarch	python-pip	< any	UNKNOWN
ubuntu	14.04	noarch	python-pip	< any	UNKNOWN
ubuntu	16.04	noarch	python-pip	< any	UNKNOWN
ubuntu	18.04	noarch	requests	< any	UNKNOWN
ubuntu	20.04	noarch	requests	< any	UNKNOWN
ubuntu	22.04	noarch	requests	< any	UNKNOWN