The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted.
References
Link | Resource |
---|---|
https://github.com/urllib3/urllib3/commit/8d65ea1ecf6e2cdc27d42124e587c1b83a3118b0 | Patch Third Party Advisory |
https://github.com/urllib3/urllib3/commits/main | Patch Third Party Advisory |
https://github.com/urllib3/urllib3/security/advisories/GHSA-5phf-pp7p-vc2r | Mitigation Third Party Advisory |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4S65ZQVZ2ODGB52IC7VJDBUK4M5INCXL/ | |
https://pypi.org/project/urllib3/1.26.4/ | Third Party Advisory |
https://security.gentoo.org/glsa/202107-36 | Third Party Advisory |
https://security.gentoo.org/glsa/202305-02 | |
https://www.oracle.com/security-alerts/cpuoct2021.html | Patch Third Party Advisory |
Configurations
History
03 May 2023, 11:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
08 Dec 2021, 19:58
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:* | |
References | (MISC) https://www.oracle.com/security-alerts/cpuoct2021.html - Patch, Third Party Advisory |
20 Oct 2021, 11:16
Type | Values Removed | Values Added |
---|---|---|
References |
|
14 Sep 2021, 16:50
Type | Values Removed | Values Added |
---|---|---|
References |
|
26 May 2021, 19:26
Type | Values Removed | Values Added |
---|---|---|
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4S65ZQVZ2ODGB52IC7VJDBUK4M5INCXL/ - Mailing List, Third Party Advisory | |
CPE | cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:* |
24 May 2021, 04:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
Information
Published : 2021-03-15 18:15
Updated : 2024-02-04 21:23
NVD link : CVE-2021-28363
Mitre link : CVE-2021-28363
CVE.ORG link : CVE-2021-28363
JSON object : View
Products Affected
python
- urllib3
fedoraproject
- fedora
oracle
- peoplesoft_enterprise_peopletools
CWE
CWE-295
Improper Certificate Validation