CVE-2021-28363
MEDIUMurllib3 1.26.0-1.26.3 - Improper Certificate Validation in HTTPS Proxy Connections
Title source: llmDescription
The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted.
References (9)
Core 9
Core References
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4S65ZQVZ2ODGB52IC7VJDBUK4M5INCXL/
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202107-36
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202305-02
Patch, Third Party Advisory
https://github.com/urllib3/urllib3/commit/8d65ea1ecf6e2cdc27d42124e587c1b83a3118b0
Mitigation, Third Party Advisory
https://github.com/urllib3/urllib3/security/advisories/GHSA-5phf-pp7p-vc2r
Third Party Advisory
https://pypi.org/project/urllib3/1.26.4/
Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html
Vendor Advisory
https://security.netapp.com/advisory/ntap-20240621-0007/
Scores
CVSS v3
6.5
EPSS
0.0011
EPSS Percentile
29.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Details
CWE
CWE-295
Status
published
Products (4)
fedoraproject/fedora
34
oracle/peoplesoft_enterprise_peopletools
8.59
pypi/urllib3
1.26.0 - 1.26.4PyPI
python/urllib3
1.26.0 - 1.26.4
Published
Mar 15, 2021
Tracked Since
Feb 18, 2026