CVE-2024-35195
Requests `Session` object does not verify requests after making first request with verify=False
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0.
Requests es una librería HTTP. Antes de 2.32.0, al realizar solicitudes a través de una `Sesión` de Solicitudes, si la primera solicitud se realiza con `verify=False` para deshabilitar la verificación de certificados, todas las solicitudes posteriores al mismo host continuarán ignorando la verificación de certificados independientemente de los cambios en el valor de "verificar". Este comportamiento continuará durante el ciclo de vida de la conexión en el grupo de conexiones. Esta vulnerabilidad se solucionó en 2.32.0.
An incorrect control flow implementation vulnerability was found in Requests. If the first request in a session is made with verify=False, all subsequent requests to the same host will continue to ignore cert verification.
CVSS Scores
SSVC
- Decision:Track*
Timeline
- 2024-05-10 CVE Reserved
- 2024-05-20 CVE Published
- 2024-05-21 EPSS Updated
- 2024-08-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-670: Always-Incorrect Control Flow Implementation
CAPEC
References (7)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2024-35195 | 2024-11-21 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2282114 | 2024-11-21 |