Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTVwaGYtcHA3cC12YzJy
Using default SSLContext for HTTPS requests in an HTTPS proxy doesn't verify certificate hostname for proxy connection
Impact
Users who are using an HTTPS proxy to issue HTTPS requests and haven't configured their own SSLContext via proxy_config.
Only the default SSLContext is impacted.
Patches
urllib3 >=1.26.4 has the issue resolved. urllib3<1.26 is not impacted due to not supporting HTTPS requests via HTTPS proxies.
Workarounds
Upgrading is recommended as this is a minor release and not likely to break current usage.
Configuring an SSLContext with check_hostname=True and passing via proxy_config instead of relying on the default SSLContext
For more information
If you have any questions or comments about this advisory:
- Email us at [email protected]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTVwaGYtcHA3cC12YzJy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 3 years ago
Updated: 12 months ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Identifiers: GHSA-5phf-pp7p-vc2r, CVE-2021-28363
References:
- https://github.com/urllib3/urllib3/security/advisories/GHSA-5phf-pp7p-vc2r
- https://nvd.nist.gov/vuln/detail/CVE-2021-28363
- https://github.com/urllib3/urllib3/commit/8d65ea1ecf6e2cdc27d42124e587c1b83a3118b0
- https://github.com/urllib3/urllib3/releases/tag/1.26.4
- https://pypi.org/project/urllib3/1.26.4/
- https://github.com/urllib3/urllib3/commits/main
- https://github.com/urllib3/urllib3/blob/main/CHANGES.rst#1264-2021-03-15
- https://lists.fedoraproject.org/archives/list/[email protected]/message/4S65ZQVZ2ODGB52IC7VJDBUK4M5INCXL/
- https://security.gentoo.org/glsa/202107-36
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://github.com/pypa/advisory-db/tree/main/vulns/urllib3/PYSEC-2021-59.yaml
- https://security.gentoo.org/glsa/202305-02
- https://github.com/advisories/GHSA-5phf-pp7p-vc2r
Blast Radius: 36.6
Affected Packages
pypi:urllib3
Dependent packages: 3,966Dependent repositories: 422,295
Downloads: 513,562,492 last month
Affected Version Ranges: >= 1.26.0, < 1.26.4
Fixed in: 1.26.4
All affected versions: 1.26.0, 1.26.1, 1.26.2, 1.26.3
All unaffected versions: 0.3.1, 0.4.0, 0.4.1, 1.0.1, 1.0.2, 1.2.1, 1.2.2, 1.7.1, 1.8.2, 1.8.3, 1.9.1, 1.10.1, 1.10.2, 1.10.3, 1.10.4, 1.13.1, 1.15.1, 1.18.1, 1.19.1, 1.21.1, 1.24.1, 1.24.2, 1.24.3, 1.25.1, 1.25.2, 1.25.3, 1.25.4, 1.25.5, 1.25.6, 1.25.7, 1.25.8, 1.25.9, 1.25.10, 1.25.11, 1.26.4, 1.26.5, 1.26.6, 1.26.7, 1.26.8, 1.26.9, 1.26.10, 1.26.11, 1.26.12, 1.26.13, 1.26.14, 1.26.15, 1.26.16, 1.26.17, 1.26.18, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.1.0, 2.2.0, 2.2.1