search

IBM / ibm-cos-sdk-python-core

ibm-cos-sdk-python-core
Apache License 2.0
6 stars 14 forks source link

CVE-2024-35195 alert caused by pinning requests to version <2.32.3 #30

Open inuyasha82 opened 1 month ago

inuyasha82 commented 1 month ago

Requests has a known vulnerability, that is fixed in versions 2.32.3.

Anyway this project in our requirements is causing an alert, because it still resolve to an older version of requests, as can be seen here: https://github.com/IBM/ibm-cos-sdk-python-core/blob/c35f5f13b2195e8c44ce04593af0ca1c8cce0d24/setup.py#L9

requires = [
    'jmespath>=0.10.0,<=1.0.1',
    'python-dateutil>=2.9.0,<3.0.0',
    'requests>=2.32.0,<2.32.3',
    'urllib3>=1.26.18,<3',
]

Is possible to fix this issue?

avinash1IBM commented 1 month ago

@inuyasha82 The cve's description says that the vulnerability you mentioned above was fixed in 2.32.0 and we are already bound by that

Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests Session, if the first request is made with verify=False to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of verify. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0.