Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk:Medium] requests Always-Incorrect Control Flow Implementation (Due: 08/19/2024) #5845

Closed
1 task
pkfec opened this issue May 22, 2024 · 0 comments · Fixed by #5894
Closed
1 task

[Snyk:Medium] requests Always-Incorrect Control Flow Implementation (Due: 08/19/2024) #5845

pkfec opened this issue May 22, 2024 · 0 comments · Fixed by #5894
Assignees
@cnlucas
Labels
Security: moderate Remediate within 60 days
Milestone
25.5

Comments

@pkfec
Copy link
Contributor

pkfec commented May 22, 2024

###Overview
Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation when making requests through a Requests Session. An attacker can bypass certificate verification by making the first request with verify=False, causing all subsequent requests to ignore certificate verification regardless of changes to the verify value.

Introduced through:

[email protected]

Remediation:

upgrade requests to v2.32.0

Completion criteria:

  • upgrade requests to v2.32.0 and verify snyk cli no longer flags requests as vulnerable package
@pkfec pkfec added the Security: moderate Remediate within 60 days label May 22, 2024
@pkfec pkfec added this to the 25.5 milestone May 22, 2024
@pkfec pkfec mentioned this issue May 22, 2024
Closed
3 tasks
This was referenced May 29, 2024
Closed
Closed
@pkfec pkfec mentioned this issue Jun 12, 2024
Closed
2 tasks
@pkfec pkfec mentioned this issue Jun 20, 2024
Closed
3 tasks
@cnlucas cnlucas mentioned this issue Jun 26, 2024
Closed
2 tasks
@tmpayton tmpayton moved this to 🔜 Sprint backlog in Website project Jul 3, 2024
@cnlucas cnlucas mentioned this issue Jul 3, 2024
Closed
3 tasks
@tmpayton tmpayton moved this from 🔜 Sprint backlog to 📥 Assigned in Website project Jul 9, 2024
@cnlucas cnlucas mentioned this issue Jul 9, 2024
Merged
@fec-jli fec-jli mentioned this issue Jul 10, 2024
Closed
2 tasks
@fec-jli fec-jli mentioned this issue Jul 17, 2024
Closed
3 tasks
@github-project-automation github-project-automation bot moved this from 📥 Assigned to ✅ Done in Website project Jul 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cnlucas cnlucas

Labels
Security: moderate Remediate within 60 days
Projects
Website project
Status: ✅ Done
Milestone
25.5
Development

Successfully merging a pull request may close this issue.

5845-upgrade requests fecgov/openFEC
2 participants
@pkfec @cnlucas