CVE-2021-28363

Name
CVE-2021-28363
Description
The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Patch https://github.com/urllib3/urllib3/commits/main
Third Party Advisory https://pypi.org/project/urllib3/1.26.4/
Patch https://github.com/urllib3/urllib3/commit/8d65ea1ecf6e2cdc27d42124e587c1b83a3118b0
Mitigation https://github.com/urllib3/urllib3/security/advisories/GHSA-5phf-pp7p-vc2r
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4S65ZQVZ2ODGB52IC7VJDBUK4M5INCXL/
Third Party Advisory https://security.gentoo.org/glsa/202107-36
MISC https://www.oracle.com/security-alerts/cpuoct2021.html

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:python:urllib3:*:*:*:*:*:*:*:* urllib3 >= 1.26.0 < 1.26.4

Vulnerable and fixed packages

Source package Branch Version Maintainer Status