Lucene search

GoogleOSV:GHSA-5PHF-PP7P-VC2R

HistoryMar 19, 2021 - 7:42 p.m.

Using default SSLContext for HTTPS requests in an HTTPS proxy doesn't verify certificate hostname for proxy connection

2021-03-1919:42:11

Google

osv.dev

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

0.001 Low

EPSS

Percentile

48.5%

JSON

Impact

Users who are using an HTTPS proxy to issue HTTPS requests and haven’t configured their own SSLContext via proxy_config.
Only the default SSLContext is impacted.

Patches

urllib3 >=1.26.4 has the issue resolved. urllib3<1.26 is not impacted due to not supporting HTTPS requests via HTTPS proxies.

Workarounds

Upgrading is recommended as this is a minor release and not likely to break current usage.

Configuring an SSLContext with check_hostname=True and passing via proxy_config instead of relying on the default SSLContext

For more information

If you have any questions or comments about this advisory:

Email us at [email protected]

CPENameOperatorVersion
urllib3eq1.26.0
urllib3eq1.26.1
urllib3eq1.26.3
urllib3eq1.26.2

Name	Operator	Version
urllib3	eq	1.26.0
urllib3	eq	1.26.1
urllib3	eq	1.26.3
urllib3	eq	1.26.2

References

github.com/pypa/advisory-db/tree/main/vulns/urllib3/PYSEC-2021-59.yaml

github.com/urllib3/urllib3

github.com/urllib3/urllib3/blob/main/CHANGES.rst#1264-2021-03-15

github.com/urllib3/urllib3/commit/8d65ea1ecf6e2cdc27d42124e587c1b83a3118b0

github.com/urllib3/urllib3/commits/main

github.com/urllib3/urllib3/releases/tag/1.26.4

github.com/urllib3/urllib3/security/advisories/GHSA-5phf-pp7p-vc2r

lists.fedoraproject.org/archives/list/[email protected]/message/4S65ZQVZ2ODGB52IC7VJDBUK4M5INCXL

nvd.nist.gov/vuln/detail/CVE-2021-28363

pypi.org/project/urllib3/1.26.4

security.gentoo.org/glsa/202107-36

security.gentoo.org/glsa/202305-02

www.oracle.com/security-alerts/cpuoct2021.html

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

0.001 Low

EPSS

Percentile

48.5%

JSON

Related for OSV:GHSA-5PHF-PP7P-VC2R