CVE-2021-28363 Information

Description

The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn’t given via proxy_config) doesn’t verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Reference

https://github.com/urllib3/urllib3/commits/main https://github.com/urllib3/urllib3/commits/main https://pypi.org/project/urllib3/1.26.4/ https://pypi.org/project/urllib3/1.26.4/ https://github.com/urllib3/urllib3/commit/8d65ea1ecf6e2cdc27d42124e587c1b83a3118b0 https://github.com/urllib3/urllib3/commit/8d65ea1ecf6e2cdc27d42124e587c1b83a3118b0 https://github.com/urllib3/urllib3/security/advisories/GHSA-5phf-pp7p-vc2r https://github.com/urllib3/urllib3/security/advisories/GHSA-5phf-pp7p-vc2r https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4S65ZQVZ2ODGB52IC7VJDBUK4M5INCXL/ https://security.gentoo.org/glsa/202107-36 https://www.oracle.com/security-alerts/cpuoct2021.html The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn’t given via proxy_config) doesn’t verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted. cpe:2.3:a:python:urllib3::::::::

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

6.5