CVE-2019-11324
Severity
7.5HIGH
EPSS
1.3%
top 20.16%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedApr 18
Latest updateNov 29
Description
The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6
Affected Packages3 packages
Also affects: Ubuntu Linux 16.04, 18.04, 18.10, 19.04
Patches
🔴Vulnerability Details
5📋Vendor Advisories
4Microsoft▶
The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succe↗2019-04-09
Debian▶
CVE-2019-11324: python-urllib3 - The urllib3 library before 1.24.2 for Python mishandles certain cases where the ...↗2019
💬Community
7Bugzilla▶
CVE-2019-11324 python-virtualenv: python-urllib3: Certification mishandle when error should be thrown [fedora-30]↗2019-11-29
Bugzilla▶
CVE-2019-11324 python-pip: python-urllib3: Certification mishandle when error should be thrown [fedora-all]↗2019-11-20
Bugzilla▶
CVE-2019-11324 python-urllib3: Certification mishandle when error should be thrown [fedora-all]↗2019-06-27
Bugzilla▶
CVE-2019-11324 python-urllib3: Certification mishandle when error should be thrown [openstack-rdo]↗2019-05-08
Bugzilla
▶