CVE-2021-28363

CWE-295 — Improper Certificate Validation8 documents7 sources

Severity

6.5MEDIUM

EPSS

0.1%

top 71.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Python Urllib3 Fedoraproject Fedora Oracle Peoplesoft Enterprise Peopletools

Timeline

PublishedMar 15

Latest updateOct 15

Description

The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages4 packages

▶NVDpython/urllib31.26.0 — 1.26.4

▶Debianpython-urllib3< 1.26.4-1+3

▶PyPIurllib31.26.0 — 1.26.4

▶NVDoracle/peoplesoft_enterprise_peopletools8.59

Also affects: Fedora 34

Patches

Patch: github.com ↗Patch: github.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

Using default SSLContext for HTTPS requests in an HTTPS proxy doesn't verify certificate hostname for proxy connection↗2021-03-19

▶

GHSA

Using default SSLContext for HTTPS requests in an HTTPS proxy doesn't verify certificate hostname for proxy connection↗2021-03-19

▶

OSV

CVE-2021-28363: The urllib3 library 1↗2021-03-15

▶

CVEList

CVE-2021-28363: The urllib3 library 1↗2021-03-15

▶

📋Vendor Advisories

Oracle

Oracle Oracle PeopleSoft Risk Matrix: Porting (urllib3) — CVE-2021-28363↗2021-10-15

▶

Red Hat

python-urllib3: HTTPS proxy host name not validated when using default SSLContext↗2021-03-15

▶

Debian

CVE-2021-28363: python-urllib3 - The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate valida...↗2021

▶