CVE-2024-35195 – Requests `Session` object does not verify requests after making first request with verify=False
https://notcve.org/view.php?id=CVE-2024-35195
Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0. Requests es una librería HTTP. • https://github.com/psf/requests/commit/a58d7f2ffb4d00b46dca2d70a3932a0b37e22fac https://github.com/psf/requests/pull/6655 https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IYLSNK5TL46Q6XPRVMHVWS63MVJQOK4Q https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N7WP6EYDSUOCOJYHDK5NX43PYZ4SNHGZ https://access.redhat.com/security/cve/CVE-2024-35195 https://bugzilla.redhat.com/show_bug • CWE-670: Always-Incorrect Control Flow Implementation •
CVE-2022-34782
https://notcve.org/view.php?id=CVE-2022-34782
An incorrect permission check in Jenkins requests-plugin Plugin 2.2.16 and earlier allows attackers with Overall/Read permission to view the list of pending requests. Una comprobación de permisos incorrecta en Jenkins requests-plugin Plugin versiones 2.2.16 y anteriores, permite a atacantes con permiso Overall/Read ver la lista de peticiones pendientes • https://www.jenkins.io/security/advisory/2022-06-30/#SECURITY-2650 • CWE-863: Incorrect Authorization •
CVE-2021-21676
https://notcve.org/view.php?id=CVE-2021-21676
Jenkins requests-plugin Plugin 2.2.7 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to send test emails to an attacker-specified email address. El Plugin Jenkins requests-plugin versiones 2.2.7 y anteriores no lleva a cabo una comprobación de permisos en un endpoint HTTP, permitiendo a atacantes con permiso General y de lectura enviar correos electrónicos de prueba a una dirección de correo electrónico especificada por el atacante • http://www.openwall.com/lists/oss-security/2021/06/30/1 https://www.jenkins.io/security/advisory/2021-06-30/#SECURITY-2136%20%282%29 • CWE-862: Missing Authorization •
CVE-2021-21675
https://notcve.org/view.php?id=CVE-2021-21675
A cross-site request forgery (CSRF) vulnerability in Jenkins requests-plugin Plugin 2.2.12 and earlier allows attackers to create requests and/or have administrators apply pending requests. Una vulnerabilidad de tipo cross-site request forgery (CSRF) en el plugin Jenkins requests-plugin versiones 2.2.12 y anteriores permite a atacantes crear peticiones y/o hacer que los administradores apliquen peticiones pendientes • http://www.openwall.com/lists/oss-security/2021/06/30/1 https://www.jenkins.io/security/advisory/2021-06-30/#SECURITY-2136%20%281%29 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2021-21674
https://notcve.org/view.php?id=CVE-2021-21674
A missing permission check in Jenkins requests-plugin Plugin 2.2.6 and earlier allows attackers with Overall/Read permission to view the list of pending requests. Una comprobación de permisos faltante en Jenkins requests-plugin Plugin versiones 2.2.6 y anteriores permite a atacantes con permiso Overall/Read ver la lista de peticiones pendientes • http://www.openwall.com/lists/oss-security/2021/06/30/1 https://www.jenkins.io/security/advisory/2021-06-30/#SECURITY-1995 •