Lucene search
K

Debian dsa-6102 : python3-urllib3 - security update

🗓️ 17 Jan 2026 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 8 Views

DSA-6102 fixes python urllib3 vulnerabilities; upgrade to bookworm 1.26.12-1+deb12u2 or trixie 2.3.0-3+deb13u1.

Related
Refs
Code
ReporterTitlePublishedViews
Family
IBM Security Bulletins
Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a URL Redirection to Untrusted Site ('Open Redirect') in urllib3 [CVE-2025-50181, CVE-2025-50182]
27 Feb 202615:59
ibm
IBM Security Bulletins
Security Bulletin: Multiple vulnerabilities in IBM Security QRadar EDR Software
11 Feb 202616:52
ibm
IBM Security Bulletins
Security Bulletin: Vulnerability in urllib3 affects IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge.
4 May 202614:26
ibm
IBM Security Bulletins
Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses urllib3 which is vulnerable to CVE-2025-66418 and CVE-2025-66471
6 Feb 202606:12
ibm
IBM Security Bulletins
Security Bulletin: IBM Maximo Application Suite - Monitor Component uses urllib3-2.5.0-py3-none-any.whl which is vulnerable to CVE-2025-66418, CVE-2025-66471.
30 Jan 202606:04
ibm
IBM Security Bulletins
Security Bulletin: IBM Cloud Pak for Data System (CPDS 1.0) is affected by multiple vulnerabilities due to urllib3
1 Apr 202610:31
ibm
IBM Security Bulletins
Security Bulletin: IBM Maximo Application Suite uses multiple third party dependencies which is vulnerable to multiple CVEs.
30 Apr 202612:13
ibm
IBM Security Bulletins
Security Bulletin: Multiple Security vulnerabilities affecting IBM Knowledge Catalog Premium Cartridge
7 Apr 202620:13
ibm
IBM Security Bulletins
Security Bulletin: IBM Maximo Application Suite - Monitor Component uses urllib3-2.5.0-py3-none-any.whl, urllib3-2.6.1-py3-none-any.whl, urllib3-2.6.2-py3-none-any.whl which is vulnerable to CVE-2025-66418, CVE-2025-66471, CVE-2026-21441.
27 Feb 202611:41
ibm
IBM Security Bulletins
Security Bulletin: multiple vulnerabilities in IBM Spectrum Symphony with Requests and urlib3
23 Oct 202520:25
ibm
Rows per page
#%NASL_MIN_LEVEL 80900
#
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory dsa-6102. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#

include('compat.inc');

if (description)
{
  script_id(291292);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/01/17");

  script_cve_id("CVE-2025-50181", "CVE-2025-66418", "CVE-2026-21441");

  script_name(english:"Debian dsa-6102 : python3-urllib3 - security update");

  script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing one or more security-related updates.");
  script_set_attribute(attribute:"description", value:
"The remote Debian 12 / 13 host has a package installed that is affected by multiple vulnerabilities as referenced in the
dsa-6102 advisory.

    - -------------------------------------------------------------------------
    Debian Security Advisory DSA-6102-1                   [email protected]
    https://www.debian.org/security/                     Salvatore Bonaccorso
    January 17, 2026                      https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : python-urllib3
    CVE ID         : CVE-2025-50181 CVE-2025-66418 CVE-2026-21441
    Debian Bug     : 1108076 1122030 1125062

    Several vulnerabilities were discovered in python-urllib3, a HTTP
    library with thread-safe connection pooling for Python3, which could
    result in denial of service or request forgery.

    For the oldstable distribution (bookworm), these problems have been fixed
    in version 1.26.12-1+deb12u2.

    For the stable distribution (trixie), these problems have been fixed in
    version 2.3.0-3+deb13u1.

    We recommend that you upgrade your python-urllib3 packages.

    For the detailed security status of python-urllib3 please refer to its
    security tracker page at:
    https://security-tracker.debian.org/tracker/python-urllib3

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/

    Mailing list: [email protected]

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  # https://security-tracker.debian.org/tracker/source-package/python-urllib3
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?eb907009");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2025-50181");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2025-66418");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2026-21441");
  script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/bookworm/python-urllib3");
  script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/trixie/python-urllib3");
  script_set_attribute(attribute:"solution", value:
"Upgrade the python3-urllib3 packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss4_vector", value:"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H");
  script_set_attribute(attribute:"cvss4_threat_vector", value:"CVSS:4.0/E:P");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-50181");
  script_set_attribute(attribute:"cvss4_score_source", value:"CVE-2026-21441");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/06/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/01/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/01/17");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:python3-urllib3");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:12.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:13.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Debian Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);

var debian_release = get_kb_item('Host/Debian/release');
if ( isnull(debian_release) ) audit(AUDIT_OS_NOT, 'Debian');
debian_release = chomp(debian_release);
if (! preg(pattern:"^(12)\.[0-9]+|^(13)\.[0-9]+", string:debian_release)) audit(AUDIT_OS_NOT, 'Debian 12.0 / 13.0', 'Debian ' + debian_release);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);

var pkgs = [
    {'release': '12.0', 'prefix': 'python3-urllib3', 'reference': '1.26.12-1+deb12u2'},
    {'release': '13.0', 'prefix': 'python3-urllib3', 'reference': '2.3.0-3+deb13u1'}
];

var flag = 0;
foreach package_array ( pkgs ) {
  var _release = NULL;
  var prefix = NULL;
  var reference = NULL;
  if (!empty_or_null(package_array['release'])) _release = package_array['release'];
  if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (_release && prefix && reference) {
    if (deb_check(release:_release, prefix:prefix, reference:reference)) flag++;
  }
}

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : deb_report_get()
  );
  exit(0);
}
else
{
  var tested = deb_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'python3-urllib3');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

17 Jan 2026 00:00Current
6.6Medium risk
Vulners AI Score6.6
CVSS 3.17.5
CVSS 48.9
EPSS0.02667
SSVC
8