CVE-2024-35195Always-Incorrect Control Flow Implementation in Requests

CWE-670Always-Incorrect Control Flow Implementation12 documents8 sources
Severity
5.6MEDIUMNVD
EPSS
0.0%
top 86.52%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
PSF RequestsPython Requests
Timeline
PublishedMay 20
Latest updateOct 15

Description

Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:NExploitability: 0.3 | Impact: 5.2

Affected Packages3 packages

CVEListV5psf/requests< 2.32.0
PyPIpython/requests< 2.32.0
Debianpython/requests< 2.32.3+dfsg-1+1

🔴Vulnerability Details

4
OSV
CVE-2024-35195: Requests is a HTTP library2024-05-20
CVEList
Requests `Session` object does not verify requests after making first request with verify=False2024-05-20
GHSA
Requests `Session` object does not verify requests after making first request with verify=False2024-05-20
OSV
Requests `Session` object does not verify requests after making first request with verify=False2024-05-20

📋Vendor Advisories

7
Oracle
Oracle Oracle MySQL Risk Matrix: Cluster: General (Requests) — CVE-2024-351952025-10-15
Oracle
Oracle Oracle Communications Risk Matrix: Platform (Requests) — CVE-2024-351952025-07-15
Oracle
Oracle Oracle Communications Applications Risk Matrix: Platform (requests) — CVE-2024-351952025-04-15
Oracle
Oracle Oracle Communications Applications Risk Matrix: Install (requests) — CVE-2024-351952025-01-15
Red Hat
requests: subsequent requests to the same host ignore cert verification2024-05-20
CVE-2024-35195 — PSF Requests vulnerability | cvebase