Ubuntu.comUB:CVE-2021-28363CVE-2021-28363
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
48.5%
The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate
validation in some cases involving HTTPS to HTTPS proxies. The initial
connection to the HTTPS proxy (if an SSLContext isn’t given via
proxy_config) doesn’t verify the hostname of the certificate. This means
certificates for different servers that still validate properly with the
default urllib3 SSLContext will be silently accepted.
Notes
| Author | Note |
|---|---|
| mdeslaur | the python-pip package bundles python-urllib3 binaries when built. After updating python-urllib3, a no-change rebuild of python-pip is required. |
| avital | introduced in 1.26.0 |
References
github.com/urllib3/urllib3/commit/8d65ea1ecf6e2cdc27d42124e587c1b83a3118b0
github.com/urllib3/urllib3/commits/main
github.com/urllib3/urllib3/security/advisories/GHSA-5phf-pp7p-vc2r
launchpad.net/bugs/cve/CVE-2021-28363
nvd.nist.gov/vuln/detail/CVE-2021-28363
pypi.org/project/urllib3/1.26.4/
security-tracker.debian.org/tracker/CVE-2021-28363
www.cve.org/CVERecord?id=CVE-2021-28363
Related
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
48.5%