CVE-2024-35195
Publication date 20 May 2024
Last updated 2 June 2026
Ubuntu priority
Description
Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| requests | 26.04 LTS resolute |
Fixed 2.32.3+dfsg-1ubuntu1
|
| 25.10 questing |
Fixed 2.32.3+dfsg-1ubuntu1
|
|
| 24.04 LTS noble | Ignored breaks users, requires source code updates | |
| 22.04 LTS jammy | Ignored breaks users, requires source code updates | |
| 20.04 LTS focal | Ignored end of standard support, was ignored [breaks users, requires source code updates] | |
| 18.04 LTS bionic | Ignored breaks users, requires source code updates | |
| 16.04 LTS xenial | Ignored end of ESM support, was ignored [breaks users, requires source code updates] | |
| 14.04 LTS trusty | Ignored end of ESM support, was ignored [breaks users, requires source code updates] | |
| python-pip | 26.04 LTS resolute |
Not affected
|
| 25.10 questing |
Not affected
|
|
| 24.04 LTS noble |
Fixed 24.0+dfsg-1ubuntu1.3+esm1
|
|
| 22.04 LTS jammy |
Fixed 22.0.2+dfsg-1ubuntu0.7+esm1
|
|
| 20.04 LTS focal | Ignored end of standard support, was ignored [bundles requests during build, and requests cannot be patched] | |
| 18.04 LTS bionic | Ignored bundles requests during build, and requests cannot be patched | |
| 16.04 LTS xenial | Ignored end of ESM support, was ignored [bundles requests during build, and requests cannot be patched] | |
| 14.04 LTS trusty | Ignored end of ESM support, was ignored [bundles requests during build, and requests cannot be patched] |
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu Pro 30-day free trialNotes
mdeslaur
On focal and earlier, the python-pip package bundles requests binaries when built. After updating requests, a no-change rebuild of python-pip is required. On jammy and later, requests is bundled in the python-pip package and needs to be patched. The fix for this issue introduced regressions in certain other applications, such as docker. See https://github.com/docker/docker-py/pull/3257 and resulted in 2.32.0 and 2.32.1 in being yanked, see: https://pypi.org/project/requests/#history 2.32.2 and 2.32.3 were subsequently released to fix those regressions. Even with the regression fixes in 2.32.2 and 2.32.3, fixing this may still break applications that subclass HTTPAdapter, for example, cloud-init. See: https://github.com/canonical/cloud-init/pull/5435
vyomydv
The CVE patch causes a regression. The patch enforced the URL scheme to be either `http` or `https`. This broke users that used a custom scheme (e.g. `http+docker`) by implementing a custom `get_connection` method but used the default `send` method. Patching this CVE would require some users to update their source code like: https://github.com/docker/docker-py/pull/3257 python-pip, on focal and earlier versions, bundles requests during the build. Since requests can't be patched due to breaking changes, python-pip has been ignored on focal and earlier.
Patch details
| Package | Patch details |
|---|---|
| requests |
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
5.6 · Medium
|
| Attack vector | Local |
| Attack complexity | High |
| Privileges required | High |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | None |
| Vector | CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-8344-1
- pip vulnerabilities
- 28 May 2026