{"url":"http://public2.vulnerablecode.io/api/packages/8636?format=json","purl":"pkg:pypi/requests@2.0.0","type":"pypi","namespace":"","name":"requests","version":"2.0.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.31.0","latest_non_vulnerable_version":"2.31.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/34926?format=json","vulnerability_id":"VCID-3zpr-hwqn-fucx","summary":"Requests (aka python-requests) before 2.3.0 allows remote servers to obtain a netrc password by reading the Authorization header in a redirected request.","references":[{"reference_url":"http://advisories.mageia.org/MGASA-2014-0409.html","reference_id":"","reference_type":"","scores":[],"url":"http://advisories.mageia.org/MGASA-2014-0409.html"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=733108","reference_id":"","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=733108"},{"reference_url":"https://github.com/advisories/GHSA-cfj3-7x9c-4p3h","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-cfj3-7x9c-4p3h"},{"reference_url":"https://github.com/kennethreitz/requests/issues/1885","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/kennethreitz/requests/issues/1885"},{"reference_url":"http://www.debian.org/security/2015/dsa-3146","reference_id":"","reference_type":"","scores":[],"url":"http://www.debian.org/security/2015/dsa-3146"},{"reference_url":"http://www.mandriva.com/security/advisories?name=MDVSA-2015:133","reference_id":"","reference_type":"","scores":[],"url":"http://www.mandriva.com/security/advisories?name=MDVSA-2015:133"},{"reference_url":"http://www.ubuntu.com/usn/USN-2382-1","reference_id":"","reference_type":"","scores":[],"url":"http://www.ubuntu.com/usn/USN-2382-1"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/8641?format=json","purl":"pkg:pypi/requests@2.3.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1z4e-21g7-bqbq"},{"vulnerability":"VCID-k5e5-nfns-gyd8"},{"vulnerability":"VCID-y16k-z2b6-8bam"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/requests@2.3.0"}],"aliases":["CVE-2014-1829","GHSA-cfj3-7x9c-4p3h","PYSEC-2014-13"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3zpr-hwqn-fucx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/34925?format=json","vulnerability_id":"VCID-8atb-eajh-gkdp","summary":"Requests (aka python-requests) before 2.3.0 allows remote servers to obtain sensitive information by reading the Proxy-Authorization header in a redirected request.","references":[{"reference_url":"http://advisories.mageia.org/MGASA-2014-0409.html","reference_id":"","reference_type":"","scores":[],"url":"http://advisories.mageia.org/MGASA-2014-0409.html"},{"reference_url":"http://lists.opensuse.org/opensuse-updates/2016-01/msg00095.html","reference_id":"","reference_type":"","scores":[],"url":"http://lists.opensuse.org/opensuse-updates/2016-01/msg00095.html"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=733108","reference_id":"","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=733108"},{"reference_url":"https://github.com/advisories/GHSA-652x-xj99-gmcc","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-652x-xj99-gmcc"},{"reference_url":"https://github.com/kennethreitz/requests/issues/1885","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/kennethreitz/requests/issues/1885"},{"reference_url":"https://github.com/psf/requests","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/psf/requests"},{"reference_url":"https://github.com/psf/requests/issues/1885","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/psf/requests/issues/1885"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/requests/PYSEC-2014-14.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/requests/PYSEC-2014-14.yaml"},{"reference_url":"https://web.archive.org/web/20150523055216/http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2015:133/?name=MDVSA-2015:133","reference_id":"","reference_type":"","scores":[],"url":"https://web.archive.org/web/20150523055216/http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2015:133/?name=MDVSA-2015:133"},{"reference_url":"http://www.debian.org/security/2015/dsa-3146","reference_id":"","reference_type":"","scores":[],"url":"http://www.debian.org/security/2015/dsa-3146"},{"reference_url":"http://www.mandriva.com/security/advisories?name=MDVSA-2015:133","reference_id":"","reference_type":"","scores":[],"url":"http://www.mandriva.com/security/advisories?name=MDVSA-2015:133"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2014-1830","reference_id":"CVE-2014-1830","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2014-1830"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/8641?format=json","purl":"pkg:pypi/requests@2.3.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1z4e-21g7-bqbq"},{"vulnerability":"VCID-k5e5-nfns-gyd8"},{"vulnerability":"VCID-y16k-z2b6-8bam"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/requests@2.3.0"}],"aliases":["CVE-2014-1830","GHSA-652x-xj99-gmcc","PYSEC-2014-14"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8atb-eajh-gkdp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35272?format=json","vulnerability_id":"VCID-y16k-z2b6-8bam","summary":"The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.","references":[{"reference_url":"http://docs.python-requests.org/en/master/community/updates/#release-and-version-history","reference_id":"","reference_type":"","scores":[],"url":"http://docs.python-requests.org/en/master/community/updates/#release-and-version-history"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00024.html","reference_id":"","reference_type":"","scores":[],"url":"http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00024.html"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:2035","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2019:2035"},{"reference_url":"https://bugs.debian.org/910766","reference_id":"","reference_type":"","scores":[],"url":"https://bugs.debian.org/910766"},{"reference_url":"https://github.com/advisories/GHSA-x84v-xcm2-53pg","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-x84v-xcm2-53pg"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/requests/PYSEC-2018-28.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/requests/PYSEC-2018-28.yaml"},{"reference_url":"https://github.com/requests/requests","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/requests/requests"},{"reference_url":"https://github.com/requests/requests/commit/c45d7c49ea75133e52ab22a8e9e13173938e36ff","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/requests/requests/commit/c45d7c49ea75133e52ab22a8e9e13173938e36ff"},{"reference_url":"https://github.com/requests/requests/issues/4716","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/requests/requests/issues/4716"},{"reference_url":"https://github.com/requests/requests/pull/4718","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/requests/requests/pull/4718"},{"reference_url":"https://usn.ubuntu.com/3790-1","reference_id":"","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3790-1"},{"reference_url":"https://usn.ubuntu.com/3790-1/","reference_id":"","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3790-1/"},{"reference_url":"https://usn.ubuntu.com/3790-2","reference_id":"","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3790-2"},{"reference_url":"https://usn.ubuntu.com/3790-2/","reference_id":"","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3790-2/"},{"reference_url":"https://www.oracle.com/security-alerts/cpujul2022.html","reference_id":"","reference_type":"","scores":[],"url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-18074","reference_id":"CVE-2018-18074","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-18074"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/12309?format=json","purl":"pkg:pypi/requests@2.20.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-k5e5-nfns-gyd8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/requests@2.20.0"}],"aliases":["CVE-2018-18074","GHSA-x84v-xcm2-53pg","PYSEC-2018-28"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-y16k-z2b6-8bam"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/requests@2.0.0"}