Lucene search

MitreCVE-2021-28363

HistoryMar 15, 2021 - 6:15 p.m.

CVE-2021-28363

2021-03-1518:15:19

CWE-295

mitre

web.nvd.nist.gov

130

cve-2021-28363

python

urllib3 library

ssl certificate validation

https

nvd

vulnerability

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

AI Score

6.4

Confidence

High

EPSS

0.001

Percentile

49.3%

JSON

The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn’t given via proxy_config) doesn’t verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted.

Affected configurations

Nvd

Node

pythonurllib3Range1.26.0–1.26.4

Node

fedoraprojectfedoraMatch34

Node

oraclepeoplesoft_enterprise_peopletoolsMatch8.59

VendorProductVersionCPE
pythonurllib3*cpe:2.3:a:python:urllib3:*:*:*:*:*:*:*:*
fedoraprojectfedora34cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
oraclepeoplesoft_enterprise_peopletools8.59cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
python	urllib3	*	cpe:2.3:a:python:urllib3::::::::
fedoraproject	fedora	34	cpe:2.3:o:fedoraproject:fedora:34:::::::*
oracle	peoplesoft_enterprise_peopletools	8.59	cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:::::::*