-
Notifications
You must be signed in to change notification settings - Fork 0
[Cycode] Fix for vulnerable manifest file dependency - requests updated to version 2.20.0 #133
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -1,5 +1,5 @@ | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| -r ../dev-requirements.txt | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| sphinx>3.0.0 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| requests>=2,<2.16 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| requests==2.20.0 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Check failure on line 3 in gitea/repositories/white-rabbit/docs/requirements.txt
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. ❗Cycode: Security vulnerability found in newly introduced dependency.
ImpactDue to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. WorkaroundsFor older versions of Requests, use of the .netrc file can be disabled with Referencespsf/requests#6965 DescriptionDetects when new vulnerabilities affect your dependencies. Tell us how you wish to proceed using one of the following commands:
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. ❗Cycode: Security vulnerability found in newly introduced dependency.
ImpactThe Affected usagesStandard usage of the Requests library is not affected by this vulnerability. Only applications that call RemediationUpgrade to at least Requests 2.33.0, where the library now extracts files to a non-deterministic location. If developers are unable to upgrade, they can set DescriptionDetects when new vulnerabilities affect your dependencies. Tell us how you wish to proceed using one of the following commands:
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. ❗Cycode: Security vulnerability found in newly introduced dependency.
When using a This occurs because the underlying connection is reused from the session's connection pool, causing the initial TLS verification setting to persist for the lifetime of the pooled connection. As a result, applications may unintentionally send requests without certificate verification, leading to potential man-in-the-middle attacks and compromised confidentiality or integrity. This behavior affects versions of DescriptionDetects when new vulnerabilities affect your dependencies. Tell us how you wish to proceed using one of the following commands:
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. ❗Cycode: Security vulnerability found in newly introduced dependency.
ImpactSince Requests v2.3.0, Requests has been vulnerable to potentially leaking Current vulnerable behavior(s):
For HTTP connections sent through the proxy, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the The reason this currently works for HTTPS connections in Requests is the PatchesStarting in Requests v2.31.0, Requests will no longer attach this header to redirects with an HTTPS destination. This should have no negative impacts on the default behavior of the library as the proxy credentials are already properly being handled by urllib3's ProxyManager. For users with custom adapters, this may be potentially breaking if you were already working around this behavior. The previous functionality of WorkaroundsFor users who are not able to update Requests immediately, there is one potential workaround. You may disable redirects by setting CreditsThis vulnerability was discovered and disclosed by the following individuals. Dennis Brinkrolf, Haxolot (https://haxolot.com/) DescriptionDetects when new vulnerabilities affect your dependencies. Tell us how you wish to proceed using one of the following commands:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| furo | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| sphinx-copybutton | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
❗Cycode: Security vulnerabilities found in newly introduced dependency.
requestsrequests 2.20.0The following vulnerabilities were introduced:
Highest fixed version: 2.33.0
Description
Detects when new vulnerabilities affect your dependencies.
Tell us how you wish to proceed using one of the following commands: