CVE-2024-35195 alert caused by pinning requests to version <2.32.3

[inuyasha82]

Requests has a known vulnerability, that is fixed in versions 2.32.3.

Anyway this project in our requirements is causing an alert, because it still resolve to an older version of requests, as can be seen here: https://github.com/IBM/ibm-cos-sdk-python-core/blob/c35f5f13b2195e8c44ce04593af0ca1c8cce0d24/setup.py#L9

requires = [
    'jmespath>=0.10.0,<=1.0.1',
    'python-dateutil>=2.9.0,<3.0.0',
    'requests>=2.32.0,<2.32.3',
    'urllib3>=1.26.18,<3',
]

Is possible to fix this issue?

[avinash1IBM]

@inuyasha82 The cve's description says that the vulnerability you mentioned above was fixed in 2.32.0 and we are already bound by that

Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests Session, if the first request is made with verify=False to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of verify. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0.

[benSchaper]

I'm encountering an additional dependency conflict related to this version constraint. When trying to use this package alongside others that require requests>=2.32.3 like Docling the dependency resolver fails due to the upper bound <2.32.3 in ibm-cos-sdk-core.

Would it be possible to remove or update the upper bound constraint on requests to allow newer compatible versions? This would help resolve dependency conflicts while maintaining security requirements.

[avinash1IBM]

@benSchaper Our team is working on it and will update you.