Open inuyasha82 opened 1 month ago
@inuyasha82 The cve's description says that the vulnerability you mentioned above was fixed in 2.32.0 and we are already bound by that
Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests
Session
, if the first request is made withverify=False
to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value ofverify
. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0.
Requests has a known vulnerability, that is fixed in versions 2.32.3.
Anyway this project in our requirements is causing an alert, because it still resolve to an older version of requests, as can be seen here: https://github.com/IBM/ibm-cos-sdk-python-core/blob/c35f5f13b2195e8c44ce04593af0ca1c8cce0d24/setup.py#L9
Is possible to fix this issue?