CVE-2021-28363

Опубликовано: 15 мар. 2021

Источник: nvd

CVSS3: 6.5

CVSS2: 6.4

EPSS Низкий

Описание

The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted.

Ссылки

https://github.com/urllib3/urllib3/commit/8d65ea1ecf6e2cdc27d42124e587c1b83a3118b0
Patch
Third Party Advisory
https://github.com/urllib3/urllib3/commits/main
Patch
Third Party Advisory
https://github.com/urllib3/urllib3/security/advisories/GHSA-5phf-pp7p-vc2r
Mitigation
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4S65ZQVZ2ODGB52IC7VJDBUK4M5INCXL/
https://pypi.org/project/urllib3/1.26.4/
Third Party Advisory
https://security.gentoo.org/glsa/202107-36
Third Party Advisory
https://security.gentoo.org/glsa/202305-02
https://security.netapp.com/advisory/ntap-20240621-0007/
https://www.oracle.com/security-alerts/cpuoct2021.html
Patch
Third Party Advisory
https://github.com/urllib3/urllib3/commit/8d65ea1ecf6e2cdc27d42124e587c1b83a3118b0
Patch
Third Party Advisory
https://github.com/urllib3/urllib3/commits/main
Patch
Third Party Advisory
https://github.com/urllib3/urllib3/security/advisories/GHSA-5phf-pp7p-vc2r
Mitigation
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4S65ZQVZ2ODGB52IC7VJDBUK4M5INCXL/
https://pypi.org/project/urllib3/1.26.4/
Third Party Advisory
https://security.gentoo.org/glsa/202107-36
Third Party Advisory
https://security.gentoo.org/glsa/202305-02
https://security.netapp.com/advisory/ntap-20240621-0007/
https://www.oracle.com/security-alerts/cpuoct2021.html
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:python:urllib3:*:*:*:*:*:*:*:*

Версия от 1.26.0 (включая) до 1.26.4 (исключая)

Конфигурация 2

cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*

Конфигурация 3

cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*

EPSS

Процентиль: 29%

0.00107

Низкий

6.5 Medium

CVSS3

6.4 Medium

CVSS2

Дефекты

CWE-295

Связанные уязвимости

CVE-2021-28363

CVSS3: 6.5

ubuntu

почти 5 лет назад

CVE-2021-28363

CVSS3: 6.5

redhat

почти 5 лет назад

CVE-2021-28363

CVSS3: 6.5

debian

почти 5 лет назад

The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certific ...

GHSA-5phf-pp7p-vc2r

CVSS3: 6.5

github

почти 5 лет назад

Using default SSLContext for HTTPS requests in an HTTPS proxy doesn't verify certificate hostname for proxy connection

BDU:2025-04191

CVSS3: 6.5

fstec

почти 5 лет назад

Уязвимость HTTP библиотеки Urllib3 языка программирования Python, связанная с ошибками процедуры подтверждения подлинности сертификата, позволяющая нарушителю получить доступ к конфиденциальным данным и нарушить их целостность

EPSS

Процентиль: 29%

0.00107

Низкий

6.5 Medium

CVSS3

6.4 Medium

CVSS2

Дефекты

CWE-295