CVE-2024-35195

Requests `Session` object does not verify requests after making first request with verify=False

Description

When making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same origin will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool.

‍
### Remediation
Any of these options can be used to remediate the current issue, we highly recommend upgrading as the preferred mitigation.

* Upgrade to `requests>=2.32.0`.
* For `requests

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading

Vulnerability Details

Score

5.5

Score Vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N

Affected Versions

requests < 2.32.0

Severity

Medium

Ecosystem

Python

Publish Date

May 20, 2024

Modified Date

July 15, 2024