(unused) vendored requests is vulnerable to CVE-2018-18074

Assuming [this history](https://github.com/boto/botocore/commits/develop/botocore/vendored/requests) is correct, it is currently vendored at 2.7.0

Versions prior to [2.20.0](http://docs.python-requests.org/en/master/community/updates/#id2) are vulnerable to this

See [CVE-2018-18074](https://nvd.nist.gov/vuln/detail/CVE-2018-18074)

This vendored copy is not used by botocore itself any more, though some downstream libraries (such as pynamodb) are reaching into botocore's vendor directory and using it

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

(unused) vendored requests is vulnerable to CVE-2018-18074 #1608

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

(unused) vendored requests is vulnerable to CVE-2018-18074 #1608

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions