mdmintz
commented
3 weeks ago False positive for several reasons:
- No known exploits. / Can't be exploited.
requests2.31.0was the latest release for a full year (and couldn't be exploited).- The CVE describes a specific case: Using
requests.Session(verify=False), which isn't used. - Local only with high privileges required (meaning it can't be exploited by an attacker who isn't an admin user already, who would already have the permissions to do absolutely anything with Python already):
All current versions of requests after 2.31.0 are currently in worse shape: (2.32.3 is the current latest)
2.32.0: Yanked: Conflicts with CVE-2024-35195 mitigation: https://pypi.org/project/requests/#history2.32.1: Yanked: Conflicts with CVE-2024-35195 mitigation: https://pypi.org/project/requests/#history2.32.2: https://github.com/psf/requests/issues/67152.32.3: https://github.com/psf/requests/issues/6726
Hoping for a newer version of requests soon that fixes that. Currently 2.31.0 is the best version to have.
Your vulnerability scanning tool (Snyk) has a major vulnerability in that it can recommend upgrading to a newer release of a Python library that is in worse shape than an earlier version. I recommend remediation. GitHub's own security tools are currently quite good for that: https://docs.github.com/en/code-security
Hello team,
Snyk has reported a vulnerability with requests==2.31.0 that is fixed in requests>=2.32
Is it possible to upgrade this requirement?
Thanks in advance, José Amaral