The application uses requests==2.20.0, which is severely outdated (released in 2018) and contains multiple known security vulnerabilities.
Evidence
File: /requirements/common.txt
Known CVEs
- CVE-2023-32681 - Unintended Proxy Authentication
- CVE-2024-35195 - Certificate verification bypass via sneaky redirect
- Multiple other security patches released in versions 2.21.0 through 2.32.x
Reproduction Steps
- Check current dependency:
pip show requests
- Review CVE database for version 2.20.0: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=python+requests
- Observe that the version has critical security vulnerabilities
Impact
- Confidentiality: HIGH - Potential for man-in-the-middle attacks
- Integrity: HIGH - Certificate verification can be bypassed
- Availability: MEDIUM - Potential for denial of service
Remediation
Immediate Action Required:
- Update
requirements/common.txt:
- Test compatibility:
pip install requests==2.32.0
python -m pytest tests/
- Update
setup.py:
install_requires=[
'argparse>=1.4.0',
'requests>=2.32.0'
],Verification
pip install --upgrade requests
pip show requests | grep Version
# Should show 2.32.0 or higher
The application uses
requests==2.20.0, which is severely outdated (released in 2018) and contains multiple known security vulnerabilities.Evidence
File:
/requirements/common.txtKnown CVEs
Reproduction Steps
pip show requestsImpact
Remediation
Immediate Action Required:
requirements/common.txt:setup.py:Verification