CVE-2024-47081

Publication date 9 June 2025

Last updated 24 September 2025

Ubuntu priority

Medium

Why this priority?

Cvss 3 Severity Score

5.3 · Medium

Score breakdown

Description

Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc file can be disabled with `trust_env=False` on one's Requests Session.

Read the notes from the security team

Status

Package Ubuntu Release Status
python-pip 25.04 plucky
Fixed 25.0+dfsg-1ubuntu0.2
24.10 oracular Ignored end of life, was needed
24.04 LTS noble
Fixed 24.0+dfsg-1ubuntu1.3
22.04 LTS jammy
Fixed 22.0.2+dfsg-1ubuntu0.7
20.04 LTS focal
Not affected
18.04 LTS bionic
Not affected
16.04 LTS xenial
Not affected
14.04 LTS trusty
Not affected
requests 25.04 plucky
Fixed 2.32.3+dfsg-4ubuntu1.1
24.10 oracular
Fixed 2.32.3+dfsg-1ubuntu1.1
24.04 LTS noble
Fixed 2.31.0+dfsg-1ubuntu1.1
22.04 LTS jammy
Fixed 2.25.1+dfsg-2ubuntu0.3
20.04 LTS focal
Fixed 2.22.0-2ubuntu1.1+esm1
18.04 LTS bionic
Fixed 2.18.4-2ubuntu0.1+esm2
16.04 LTS xenial
Fixed 2.9.1-3ubuntu0.1+esm2
14.04 LTS trusty
Fixed 2.2.1-1ubuntu0.4+esm1

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Get Ubuntu Pro 30-day free trial

Notes

mdeslaur

On focal and earlier, the python-pip package bundles requests binaries when built. After updating requests, a no-change rebuild of python-pip is required. On jammy and later, requests is bundled in the python-pip package and needs to be patched.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
requests

Severity score breakdown

Parameter Value
Base score 5.3 · Medium
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Scope Unchanged
Confidentiality High
Integrity impact None
Availability impact None
Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

References

Related Ubuntu Security Notices (USN)

Other references