Vulnerability in requests==2.31.0
JoseAmaral436 opened this issue · comments
False positive for several reasons:
- No known exploits. / Can't be exploited.
requests
2.31.0
was the latest release for a full year (and couldn't be exploited).- The CVE describes a specific case: Using
requests.Session(verify=False)
, which isn't used. - Local only with high privileges required (meaning it can't be exploited by an attacker who isn't an admin user already, who would already have the permissions to do absolutely anything with Python already):
![Screenshot 2024-06-06 at 9 17 41 AM](https://private-user-images.githubusercontent.com/6788579/337279403-8a4f5381-2bf7-4ea3-bd10-192ad99bd33e.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjAyODI4MzYsIm5iZiI6MTcyMDI4MjUzNiwicGF0aCI6Ii82Nzg4NTc5LzMzNzI3OTQwMy04YTRmNTM4MS0yYmY3LTRlYTMtYmQxMC0xOTJhZDk5YmQzM2UucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI0MDcwNiUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNDA3MDZUMTYxNTM2WiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9YjYxYTM3ODIwZmM0ODE1ZWUzODg4YTczNWQzZTkyNjllNjk5YmViNjRhNDYzNzI3NTg1NWY1NTUxYmVhZTFmMCZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QmYWN0b3JfaWQ9MCZrZXlfaWQ9MCZyZXBvX2lkPTAifQ.N4IOuACuBV2yRNo-qHsLhp7TQcaqLjY8RROuPIaHCVU)
All current versions of requests after 2.31.0
are currently in worse shape: (2.32.3
is the current latest)
2.32.0
: Yanked: Conflicts with CVE-2024-35195 mitigation: https://pypi.org/project/requests/#history2.32.1
: Yanked: Conflicts with CVE-2024-35195 mitigation: https://pypi.org/project/requests/#history2.32.2
: psf/requests#67152.32.3
: psf/requests#6726
Hoping for a newer version of requests
soon that fixes that. Currently 2.31.0
is the best version to have.
Your vulnerability scanning tool (Snyk) has a major vulnerability in that it can recommend upgrading to a newer release of a Python library that is in worse shape than an earlier version. I recommend remediation. GitHub's own security tools are currently quite good for that: https://docs.github.com/en/code-security