CVE-2024-35195 — Requests `Session` object does not verify requests after making first request wi

Description

Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0.

How to fix CVE-2024-35195

To remediate CVE-2024-35195, upgrade the affected package to a fixed version below.

—upgrade to 2.32.3-r0 or later
—no fix listed
—upgrade to 2.32.0 or later

Is CVE-2024-35195 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 2.32.3-r0
from 0
from 0, < 2.32.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.6	CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-35195
ADVISORYsecurity.alpinelinux.org/vuln/CVE-2024-35195
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-35195
PATCHgithub.com/psf/requests
WEB