CVE-2019-11324

HIGH

urllib3 < 1.24.2 - Improper Certificate Validation via SSL Context Handling

Title source: llm
STIX 2.1

Description

The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.

References (11)

Core 11
Core References
Mailing List, Third Party Advisory mailing-list
http://www.openwall.com/lists/oss-security/2019/04/19/1
Third Party Advisory vendor-advisory
https://usn.ubuntu.com/3990-1/
Vendor Advisory vendor-advisory
https://access.redhat.com/errata/RHSA-2019:3590
Vendor Advisory vendor-advisory
https://access.redhat.com/errata/RHSA-2019:3335

Scores

CVSS v3 7.5
EPSS 0.0104
EPSS Percentile 77.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE
CWE-295
Status published
Products (6)
canonical/ubuntu_linux 16.04
canonical/ubuntu_linux 18.04
canonical/ubuntu_linux 18.10
canonical/ubuntu_linux 19.04
pypi/urllib3 0 - 1.24.2PyPI
python/urllib3 < 1.24.2
Published Apr 18, 2019
Tracked Since Feb 18, 2026