CVE-2014-9365 — Insufficient Verification of Data Authenticity in Python

CWE-345 — Insufficient Verification of Data Authenticity7 documents7 sources

Severity

5.8MEDIUMNVD

EPSS

2.1%

top 15.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Python2.7 Apple MAC OS X Apple OS X Yosemite V10.10.5 AND Security Update 2015-006 +1 more

Timeline

PublishedDec 12

Latest updateMay 13

Description

The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVSS vector

AV:N/AC:M/C:P/I:P/A:NExploitability: 8.6 | Impact: 4.9

Affected Packages4 packages

▶debiandebian/python2.7< python2.7 2.7.9-1 (bullseye)

▶NVDpython/python77 versions+76

▶NVDapple/mac_os_x10.10.4

▶Appleapple/os_x_yosemite_v10.10.5_and_security_update_2015-006

🔴Vulnerability Details

GHSA

GHSA-fj2p-9cqv-m944: The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2↗2022-05-13

▶

OSV

CVE-2014-9365: The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2↗2014-12-12

▶

📋Vendor Advisories

Red Hat

python: failure to validate certificates in the HTTP client with TLS (PEP 476)↗2014-12-11

▶

Debian

CVE-2014-9365: python2.7 - The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib ...↗2014

▶

Apple

CVE-2014-9365: OS X Yosemite v10.10.5 and Security Update 2015-006↗

▶

💬Community

Bugzilla

CVE-2014-9365 python: failure to validate certificates in the HTTP client with TLS (PEP 476)↗2014-12-11

▶