Vulnerability Description
The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Python | Urllib3 | >= 1.26.0, < 1.26.4 |
| Fedoraproject | Fedora | 34 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.59 |
Related Weaknesses (CWE)
References
- https://github.com/urllib3/urllib3/commit/8d65ea1ecf6e2cdc27d42124e587c1b83a3118PatchThird Party Advisory
- https://github.com/urllib3/urllib3/commits/mainPatchThird Party Advisory
- https://github.com/urllib3/urllib3/security/advisories/GHSA-5phf-pp7p-vc2rMitigationThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://pypi.org/project/urllib3/1.26.4/Third Party Advisory
- https://security.gentoo.org/glsa/202107-36Third Party Advisory
- https://security.gentoo.org/glsa/202305-02
- https://security.netapp.com/advisory/ntap-20240621-0007/
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatchThird Party Advisory
- https://github.com/urllib3/urllib3/commit/8d65ea1ecf6e2cdc27d42124e587c1b83a3118PatchThird Party Advisory
- https://github.com/urllib3/urllib3/commits/mainPatchThird Party Advisory
- https://github.com/urllib3/urllib3/security/advisories/GHSA-5phf-pp7p-vc2rMitigationThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://pypi.org/project/urllib3/1.26.4/Third Party Advisory
- https://security.gentoo.org/glsa/202107-36Third Party Advisory
FAQ
What is CVE-2021-28363?
CVE-2021-28363 is a vulnerability with a CVSS score of 6.5 (MEDIUM). The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't g...
How severe is CVE-2021-28363?
CVE-2021-28363 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-28363?
Check the references section above for vendor advisories and patch information. Affected products include: Python Urllib3, Fedoraproject Fedora, Oracle Peoplesoft Enterprise Peopletools.