CVE-2021-28363
Published: 15 March 2021
The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted.
Notes
| Author | Note |
|---|---|
| mdeslaur | the python-pip package bundles python-urllib3 binaries when built. After updating python-urllib3, a no-change rebuild of python-pip is required. |
| avital | introduced in 1.26.0 |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
python-pip Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(code not present)
|
| focal |
Not vulnerable
(code not present)
|
|
| groovy |
Not vulnerable
(code not present)
|
|
| trusty |
Not vulnerable
(code not present)
|
|
| upstream |
Released
(21.1)
|
|
| xenial |
Not vulnerable
(code not present)
|
|
|
Patches: upstream: https://github.com/pypa/pip/commit/960c01adce491de00ef7a8d02a32fea31b15a1dc |
||
|
python-urllib3 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(code not present)
|
| focal |
Not vulnerable
(code not present)
|
|
| groovy |
Not vulnerable
(code not present)
|
|
| trusty |
Not vulnerable
(code not present)
|
|
| upstream |
Released
(1.26.4)
|
|
| xenial |
Not vulnerable
(code not present)
|
|
|
Patches: upstream: https://github.com/urllib3/urllib3/commit/8d65ea1ecf6e2cdc27d42124e587c1b83a3118b0 |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 6.5 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
References
- https://github.com/urllib3/urllib3/security/advisories/GHSA-5phf-pp7p-vc2r
- https://github.com/urllib3/urllib3/commit/8d65ea1ecf6e2cdc27d42124e587c1b83a3118b0
- https://github.com/urllib3/urllib3/commits/main
- https://pypi.org/project/urllib3/1.26.4/
- https://www.cve.org/CVERecord?id=CVE-2021-28363
- NVD
- Launchpad
- Debian