Requests <2.32: Session cert verify bypass persists
CVE-2024-35195 Published on May 20, 2024

Requests `Session` object does not verify requests after making first request with verify=False
Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0.

Github Repository NVD

Vulnerability Analysis

CVE-2024-35195 can be exploited with local system access, requires user interaction and user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.

Attack Vector:
LOCAL
Attack Complexity:
HIGH
Privileges Required:
HIGH
User Interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
NONE

Weakness Type

Always-Incorrect Control Flow Implementation

The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated. This weakness captures cases in which a particular code segment is always incorrect with respect to the algorithm that it is implementing. For example, if a C programmer intends to include multiple statements in a single block but does not include the enclosing braces (CWE-483), then the logic is always incorrect. This issue is in contrast to most weaknesses in which the code usually behaves correctly, except when it is externally manipulated in malicious ways.


Products Associated with CVE-2024-35195

stack.watch emails you whenever new vulnerabilities are published in Oracle or Python Requests. Just hit a watch button to start following.

Oracle
 
Python Requests
 

Affected Versions

psf requests: request_project request:

Vulnerable Packages

The following package name and versions may be associated with CVE-2024-35195

Package Manager Vulnerable Package Versions Fixed In
pip requests < 2.32.0 2.32.0

Exploit Probability

EPSS
0.05%
Percentile
13.79%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.