From 1acbf6ce7bfaac0f63f682f3a42e2e73ca3e0074 Mon Sep 17 00:00:00 2001 From: Anne Stellingwerf Date: Wed, 29 May 2024 11:23:39 +0200 Subject: [PATCH] Improve GHSA-9wx4-h78v-vm56 --- .../05/GHSA-9wx4-h78v-vm56/GHSA-9wx4-h78v-vm56.json | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/advisories/github-reviewed/2024/05/GHSA-9wx4-h78v-vm56/GHSA-9wx4-h78v-vm56.json b/advisories/github-reviewed/2024/05/GHSA-9wx4-h78v-vm56/GHSA-9wx4-h78v-vm56.json index b2e1f870312b2..a962e7fde4579 100644 --- a/advisories/github-reviewed/2024/05/GHSA-9wx4-h78v-vm56/GHSA-9wx4-h78v-vm56.json +++ b/advisories/github-reviewed/2024/05/GHSA-9wx4-h78v-vm56/GHSA-9wx4-h78v-vm56.json @@ -7,7 +7,7 @@ "CVE-2024-35195" ], "summary": "Requests `Session` object does not verify requests after making first request with verify=False", - "details": "When making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same origin will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool.\n\n### Remediation\nAny of these options can be used to remediate the current issue, we highly recommend upgrading as the preferred mitigation.\n\n* Upgrade to `requests>=2.32.0`.\n* For `requests<2.32.0`, avoid setting `verify=False` for the first request to a host while using a Requests Session.\n* For `requests<2.32.0`, call `close()` on `Session` objects to clear existing connections if `verify=False` is used.\n\n### Related Links\n* https://github.com/psf/requests/pull/6655", + "details": "When making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same origin will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool.\n\n### Remediation\nAny of these options can be used to remediate the current issue, we highly recommend upgrading as the preferred mitigation.\n\n* Upgrade to `requests>=2.32.2`.\n* For `requests<2.32.0`, avoid setting `verify=False` for the first request to a host while using a Requests Session.\n* For `requests<2.32.0`, call `close()` on `Session` objects to clear existing connections if `verify=False` is used.\n\n### Related Links\n* https://github.com/psf/requests/pull/6655", "severity": [ { "type": "CVSS_V3", @@ -28,11 +28,14 @@ "introduced": "0" }, { - "fixed": "2.32.0" + "fixed": "2.32.2" } ] } - ] + ], + "database_specific": { + "last_known_affected_version_range": "< 2.32.0" + } } ], "references": [ @@ -64,6 +67,6 @@ "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-05-20T20:15:00Z", - "nvd_published_at": "2024-05-20T21:15:09Z" + "nvd_published_at": null } } \ No newline at end of file