Sign In

CVE-2024-35195

ADVISORY - github

Summary

When making requests through a Requests Session, if the first request is made with verify=False to disable cert verification, all subsequent requests to the same origin will continue to ignore cert verification regardless of changes to the value of verify. This behavior will continue for the lifecycle of the connection in the connection pool.

Remediation

Any of these options can be used to remediate the current issue, we highly recommend upgrading as the preferred mitigation.

  • Upgrade to requests>=2.32.0.
  • For requests<2.32.0, avoid setting verify=False for the first request to a host while using a Requests Session.
  • For requests<2.32.0, call close() on Session objects to clear existing connections if verify=False is used.

Related Links

EPSS Score: 0.00033 (0.082)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-670

Always-Incorrect Control Flow Implementation

ADVISORY - github

CWE-670

Always-Incorrect Control Flow Implementation

ADVISORY - gitlab

CWE-1035

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

CWE-670

Always-Incorrect Control Flow Implementation

CWE-937

OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

ADVISORY - redhat

CWE-670

Always-Incorrect Control Flow Implementation

Impacted images

Advisories
Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

Sign in