Nixpkgs security tracker
6.5 MEDIUM
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): High (H)
- Privileges Required (PR): None (N)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): High (H)
- Integrity (I): Low (L)
- Availability (A): None (N)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): High (H)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): High (H)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): Low (L)
- Modified Availability (MA): None (N)
Activity log
- Created suggestion
requests-hardened: Server-Side Request Forgery (SSRF) in requests-hardened RFC 6598
requests-hardened is a library that overrides the default behaviors of the requests library, and adds new security features. Prior to , the SSRF protection in requests-hardened fails to block IP addresses within the RFC 6598 Shared Address Space (100.64.0.0/10). An attacker who can supply arbitrary URLs to requests-hardened could exploit this gap to access internal services hosted within 100.64.0.0/10. This is for example relevant in environments such as AWS EKS where 100.64.0.0/10 is commonly used as the default pod CIDR. The impact is environment-dependent, deployments that utilize the affected CIDR range for internal networking are exposed to SSRF bypass, while others may not be affected. This vulnerability is fixed in .
References
-
https://github.com/saleor/requests-hardened/releases/tag/v1.2.1 x_refsource_MISC
Affected products
- ==< 1.2.1
Matching in nixpkgs
pkgs.python312Packages.requests-hardened
Library that adds hardened behavior to python requests
pkgs.python313Packages.requests-hardened
Library that adds hardened behavior to python requests
pkgs.python314Packages.requests-hardened
Library that adds hardened behavior to python requests
Package maintainers
-
@ryand56 Ryan Omasta <git@ryand.ca>