GHSA-mh33-7rrq-662w

Source

https://github.com/advisories/GHSA-mh33-7rrq-662w

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-mh33-7rrq-662w/GHSA-mh33-7rrq-662w.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-mh33-7rrq-662w

Aliases

Published

2019-04-19T16:55:10Z

Modified

2024-02-20T05:23:46.489118Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

Improper Certificate Validation in urllib3

Details

The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.

References

Affected packages

PyPI / urllib3

Package

Name: urllib3; View open source insights on deps.dev
Purl: pkg:pypi/urllib3

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.24.2

Affected versions

0.*

0.2

0.3

0.3.1

0.4.0

0.4.1

1.*

1.0

1.0.1

1.0.2

1.1

1.2

1.2.1

1.2.2

1.3

1.4

1.5

1.6

1.7

1.7.1

1.8

1.8.2

1.8.3

1.9

1.9.1

1.10

1.10.1

1.10.2

1.10.3

1.10.4

1.11

1.12

1.13

1.13.1

1.14

1.15

1.15.1

1.16

1.17

1.18

1.18.1

1.19

1.19.1

1.20

1.21

1.21.1

1.22

1.23

1.24

1.24.1