Описание
Using default SSLContext for HTTPS requests in an HTTPS proxy doesn't verify certificate hostname for proxy connection
Impact
Users who are using an HTTPS proxy to issue HTTPS requests and haven't configured their own SSLContext via proxy_config.
Only the default SSLContext is impacted.
Patches
urllib3 >=1.26.4 has the issue resolved. urllib3<1.26 is not impacted due to not supporting HTTPS requests via HTTPS proxies.
Workarounds
Upgrading is recommended as this is a minor release and not likely to break current usage.
Configuring an SSLContext with check_hostname=True and passing via proxy_config instead of relying on the default SSLContext
For more information
If you have any questions or comments about this advisory:
- Email us at sethmichaellarson@gmail.com
Ссылки
- https://github.com/urllib3/urllib3/security/advisories/GHSA-5phf-pp7p-vc2r
- https://nvd.nist.gov/vuln/detail/CVE-2021-28363
- https://github.com/urllib3/urllib3/commit/8d65ea1ecf6e2cdc27d42124e587c1b83a3118b0
- https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2021-59.yaml
- https://github.com/pypa/advisory-db/tree/main/vulns/urllib3/PYSEC-2021-59.yaml
- https://github.com/urllib3/urllib3/blob/main/CHANGES.rst#1264-2021-03-15
- https://github.com/urllib3/urllib3/commits/main
- https://github.com/urllib3/urllib3/releases/tag/1.26.4
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4S65ZQVZ2ODGB52IC7VJDBUK4M5INCXL
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4S65ZQVZ2ODGB52IC7VJDBUK4M5INCXL
- https://pypi.org/project/urllib3/1.26.4
- https://security.gentoo.org/glsa/202107-36
- https://security.gentoo.org/glsa/202305-02
- https://security.netapp.com/advisory/ntap-20240621-0007
- https://www.oracle.com/security-alerts/cpuoct2021.html
Пакеты
urllib3
>= 1.26.0, < 1.26.4
1.26.4
Связанные уязвимости
The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted.
The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted.
The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted.
The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certific ...
Уязвимость HTTP библиотеки Urllib3 языка программирования Python, связанная с ошибками процедуры подтверждения подлинности сертификата, позволяющая нарушителю получить доступ к конфиденциальным данным и нарушить их целостность