Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1wd3g1LXhnN2ctd3BjNc4AAZ9h
Tweepy does not verify SSL Certificate
Tweepy does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to use of the Python httplib library.
Permalink: https://github.com/advisories/GHSA-pwx5-xg7g-wpc5JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wd3g1LXhnN2ctd3BjNc4AAZ9h
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: 9 months ago
Identifiers: GHSA-pwx5-xg7g-wpc5, CVE-2012-5825
References:
- https://nvd.nist.gov/vuln/detail/CVE-2012-5825
- https://exchange.xforce.ibmcloud.com/vulnerabilities/79831
- http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
- https://github.com/tweepy/tweepy/issues/279
- https://github.com/tweepy/tweepy/pull/400
- https://github.com/advisories/GHSA-pwx5-xg7g-wpc5
Blast Radius: 0.0
Affected Packages
pypi:tweepy
Dependent packages: 101Dependent repositories: 14,544
Downloads: 1,422,938 last month
Affected Version Ranges: < 3.0
Fixed in: 3.0
All affected versions: 1.7.1, 2.3.0
All unaffected versions: 3.1.0, 3.2.0, 3.3.0, 3.4.0, 3.5.0, 3.6.0, 3.7.0, 3.8.0, 3.9.0, 3.10.0, 4.0.0, 4.0.1, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.8.0, 4.9.0, 4.10.0, 4.10.1, 4.11.0, 4.12.0, 4.12.1, 4.13.0, 4.14.0