CVE-2014-9365

CPython 2.x <2.7.9 & 3.x <3.4.3 - Man-in-the-Middle

Title source: llm
STIX 2.1

Description

The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

References (13)

Core 13
Core References
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1162
Exploit, Vendor Advisory x_refsource_confirm
https://www.python.org/dev/peps/pep-0476/
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/71639
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2016:1166
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1868
Exploit x_refsource_confirm
http://bugs.python.org/issue22417
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201503-10
Mailing List vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2014/12/11/1
Vendor Advisory x_refsource_confirm
https://support.apple.com/kb/HT205031
Release Notes x_refsource_confirm
https://www.python.org/downloads/release/python-279/

Scores

EPSS 0.0276
EPSS Percentile 86.2%

Details

Status published
Products (48)
apple/mac_os_x < 10.10.4
python/python 2.0
python/python 2.0.1
python/python 2.1
python/python 2.1.1
python/python 2.1.2
python/python 2.1.3
python/python 2.2
python/python 2.2.1
python/python 2.2.2
... and 38 more
Published Dec 12, 2014
Tracked Since Feb 18, 2026