CVE-2024-35195
Public on 2024-05-20
Modified on 2024-12-20
Description
Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0.
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 1 | aws-cfn-bootstrap | No Fix Planned | ||
| Amazon Linux 2 - Core | aws-cfn-bootstrap | 2024-10-16 | ALAS2-2024-2654 | Fixed |
| Amazon Linux 2023 | aws-cfn-bootstrap | 2024-10-14 | ALAS2023-2024-732 | Fixed |
| Amazon Linux 1 | python-pip | No Fix Planned | ||
| Amazon Linux 2 - Core | python-pip | 2024-12-19 | ALAS2-2024-2715 | Fixed |
| Amazon Linux 2023 | python-pip | 2024-12-12 | ALAS2023-2024-781 | Fixed |
| Amazon Linux 2 - Core | python-requests | 2025-05-29 | ALAS2-2025-2868 | Fixed |
| Amazon Linux 2023 | python-requests | 2024-12-12 | ALAS2023-2024-782 | Fixed |
| Amazon Linux 2 - Core | python3-requests | 2025-04-30 | ALAS2-2025-2846 | Fixed |
| Amazon Linux 2023 | python3.11-pip | 2024-12-12 | ALAS2023-2024-780 | Fixed |
| Amazon Linux 2023 | python3.12-pip | 2025-04-29 | ALAS2023-2025-957 | Fixed |
| Amazon Linux 2 - Python3.8 Extra | python38-pip | 2024-12-19 | ALAS2PYTHON3.8-2024-017 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 6.5 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N |
| NVD | CVSSv3 | 5.6 | CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N |