Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
6.4
CVSSv2

CVE-2021-28363

Published: 15/03/2021 Updated: 07/11/2023
CVSS v2 Base Score: 6.4 | Impact Score: 4.9 | Exploitability Score: 10
CVSS v3 Base Score: 6.5 | Impact Score: 2.5 | Exploitability Score: 3.9
VMScore: 570
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N
Subscribe to Urllib3

Vulnerability Summary

The urllib3 library 1.26.x prior to 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

python urllib3

fedoraproject fedora 34

oracle peoplesoft enterprise peopletools 8.59

Vendor Advisories

Amazon Linux 2: ALAS2-2021-1667
The urllib3 library 126x before 1264 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate This means certificates for different servers that still validate properly with ...
Amazon Linux 2: ALAS2-2022-1742
A flaw was found in python-urllib3 SSL certificate validation is omitted in some cases involving HTTPS to HTTPS proxies The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate This means certificates for different servers that still validate properly with the defaul ...
Arch Linux Issues:
The urllib3 library 126x before 1264 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate This means certificates for different servers that still validate properly with ...

ICS Advisories

https://ics-cert.us-cert.gov/advisories/fd87a3fc00e025fdc5034360097d2bdf
Critical Infrastructure Sectors: Critical Manufacturing

Github Repositories

https://github.com/noseka1/deep-dive-into-clair

Deep dive into Clair image vulnerability scanning

Deep Dive into Clair Image Vulnerability Scanning Clair Documentation What is ClairCore Updaters and Defaults Vulnerability Databases Alpine security database secdbalpinelinuxorg/ Amazon Linux security database repodata/updateinfoxmlgz cdnamazonlinuxcom/2/core/20/x86_64/3c5ff503186aefc295ca296adf15aa0884f998fff0c78d5fc6448735eb664d26/repodata/updateinf

References

CWE-295https://github.com/urllib3/urllib3/commits/mainhttps://pypi.org/project/urllib3/1.26.4/https://github.com/urllib3/urllib3/commit/8d65ea1ecf6e2cdc27d42124e587c1b83a3118b0https://github.com/urllib3/urllib3/security/advisories/GHSA-5phf-pp7p-vc2rhttps://security.gentoo.org/glsa/202107-36https://www.oracle.com/security-alerts/cpuoct2021.htmlhttps://security.gentoo.org/glsa/202305-02https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4S65ZQVZ2ODGB52IC7VJDBUK4M5INCXL/https://nvd.nist.govhttps://github.com/noseka1/deep-dive-into-clairhttps://alas.aws.amazon.com/AL2/ALAS-2021-1667.htmlhttps://www.cisa.gov/news-events/ics-advisories/icsa-23-348-10
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
encryptionCVE-2024-4331CVE-2024-26925arbitrary codeCVE-2006-4304CVE-2024-25458CVE-2024-27077reflected XSSCVE-2024-4059
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook