#VU90156 Security features bypass in Requests


Published: 2024-05-31

Vulnerability identifier: #VU90156

Vulnerability risk: Low

CVSSv3.1: 4.9 [CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-35195

CWE-ID: CWE-254

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Requests
Universal components / Libraries / Scripting languages

Vendor: Python.org

Description

The vulnerability allows a local user to compromise the target system.

The vulnerability exists due to the session object does not verify requests after making first request with verify=False. A local administrator can bypass authentication.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Requests: 2.0.0 - 2.31.0

External links
http://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56
http://github.com/psf/requests/pull/6655
http://github.com/psf/requests/commit/a58d7f2ffb4d00b46dca2d70a3932a0b37e22fac

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM QRadar App SDK
Multiple vulnerabilities in IBM SOAR QRadar Plugin App
Splunk Enterprise update for third-party components
SUSE update for Recommended update for python-requests
SUSE update for Recommended update for python-requests
SUSE update for Recommended update for python-requests
IBM Data Observability by Databand Self-Hosted update for Psf Requests
Multiple vulnerabilities in IBM Storage Protect Plus File Systems Agent
Fedora 41 update for crosswords
F5 Traffix SDC update for Python Requests