Vulnerability in requests==2.31.0

Question

Vulnerability in requests==2.31.0

JoseAmaral436 opened this issue a month ago · comments

José Amaral commented a month ago

Hello team,

Snyk has reported a vulnerability with requests==2.31.0 that is fixed in requests>=2.32

Is it possible to upgrade this requirement?

Thanks in advance,
José Amaral

Michael Mintz · Answer 1 · Thu Jun 06 2024 21:47:58 GMT+0800 (China Standard Time)

False positive for several reasons:

No known exploits. / Can't be exploited.
requests 2.31.0 was the latest release for a full year (and couldn't be exploited).
The CVE describes a specific case: Using requests.Session(verify=False), which isn't used.
Local only with high privileges required (meaning it can't be exploited by an attacker who isn't an admin user already, who would already have the permissions to do absolutely anything with Python already):

All current versions of requests after 2.31.0 are currently in worse shape: (2.32.3 is the current latest)

2.32.0: Yanked: Conflicts with CVE-2024-35195 mitigation: https://pypi.org/project/requests/#history
2.32.1: Yanked: Conflicts with CVE-2024-35195 mitigation: https://pypi.org/project/requests/#history
2.32.2: psf/requests#6715
2.32.3: psf/requests#6726

Hoping for a newer version of requests soon that fixes that. Currently 2.31.0 is the best version to have.

Your vulnerability scanning tool (Snyk) has a major vulnerability in that it can recommend upgrading to a newer release of a Python library that is in worse shape than an earlier version. I recommend remediation. GitHub's own security tools are currently quite good for that: https://docs.github.com/en/code-security