Your submission was sent successfully! Close

CVE-2021-28363

Published: 15 March 2021

The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted.

Priority

Medium

CVSS 3 base score: 6.5

Status

Package Release Status
python-pip
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code not present)
focal Not vulnerable
(code not present)
groovy Not vulnerable
(code not present)
precise Does not exist

trusty Not vulnerable
(code not present)
upstream Needs triage

xenial Not vulnerable
(code not present)
python-urllib3
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code not present)
focal Not vulnerable
(code not present)
groovy Not vulnerable
(code not present)
precise Does not exist

trusty Not vulnerable
(code not present)
upstream
Released (1.26.4)
xenial Not vulnerable
(code not present)