11 results (0.006 seconds)

CVSS: 5.6EPSS: 0%CPEs: 1EXPL: 0

CVE-2024-35195 – Requests `Session` object does not verify requests after making first request with verify=False

https://notcve.org/view.php?id=CVE-2024-35195

Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0. Requests es una librería HTTP. • https://github.com/psf/requests/commit/a58d7f2ffb4d00b46dca2d70a3932a0b37e22fac https://github.com/psf/requests/pull/6655 https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IYLSNK5TL46Q6XPRVMHVWS63MVJQOK4Q https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N7WP6EYDSUOCOJYHDK5NX43PYZ4SNHGZ https://access.redhat.com/security/cve/CVE-2024-35195 https://bugzilla.redhat.com/show_bug • CWE-670: Always-Incorrect Control Flow Implementation •

CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1

CVE-2023-32681 – Unintended leak of Proxy-Authorization header in requests

https://notcve.org/view.php?id=CVE-2023-32681

Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. • https://github.com/hardikmodha/POC-CVE-2023-32681 https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5 https://github.com/psf/requests/releases/tag/v2.31.0 https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q https://lists.debian.org/debian-lts-announce/2023/06/msg00018.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y https://lists.fedoraproject.org/archives/list/package-announce@lists.fedorap • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-402: Transmission of Private Resources into a New Sphere ('Resource Leak') •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

CVE-2022-34782

https://notcve.org/view.php?id=CVE-2022-34782

An incorrect permission check in Jenkins requests-plugin Plugin 2.2.16 and earlier allows attackers with Overall/Read permission to view the list of pending requests. Una comprobación de permisos incorrecta en Jenkins requests-plugin Plugin versiones 2.2.16 y anteriores, permite a atacantes con permiso Overall/Read ver la lista de peticiones pendientes • https://www.jenkins.io/security/advisory/2022-06-30/#SECURITY-2650 • CWE-863: Incorrect Authorization •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

CVE-2021-21676

https://notcve.org/view.php?id=CVE-2021-21676

Jenkins requests-plugin Plugin 2.2.7 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to send test emails to an attacker-specified email address. El Plugin Jenkins requests-plugin versiones 2.2.7 y anteriores no lleva a cabo una comprobación de permisos en un endpoint HTTP, permitiendo a atacantes con permiso General y de lectura enviar correos electrónicos de prueba a una dirección de correo electrónico especificada por el atacante • http://www.openwall.com/lists/oss-security/2021/06/30/1 https://www.jenkins.io/security/advisory/2021-06-30/#SECURITY-2136%20%282%29 • CWE-862: Missing Authorization •

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0

CVE-2021-21675

https://notcve.org/view.php?id=CVE-2021-21675

A cross-site request forgery (CSRF) vulnerability in Jenkins requests-plugin Plugin 2.2.12 and earlier allows attackers to create requests and/or have administrators apply pending requests. Una vulnerabilidad de tipo cross-site request forgery (CSRF) en el plugin Jenkins requests-plugin versiones 2.2.12 y anteriores permite a atacantes crear peticiones y/o hacer que los administradores apliquen peticiones pendientes • http://www.openwall.com/lists/oss-security/2021/06/30/1 https://www.jenkins.io/security/advisory/2021-06-30/#SECURITY-2136%20%281%29 • CWE-352: Cross-Site Request Forgery (CSRF) •