NVD Vulnerability Detail

CVE-2021-28363

Summary	The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted.
Publication Date	March 16, 2021, 3:15 a.m.
Registration Date	March 16, 2021, 10:03 a.m.
Last Update	Nov. 21, 2024, 2:59 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:python:urllib3::::::::		1.26.0			1.26.4

Configuration2		or higher	or less	more than	less than
cpe:2.3:o:fedoraproject:fedora:34:::::::*

Configuration3		or higher	or less	more than	less than
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:::::::*

Related information, measures and tools

No	URL	タグ
1	https://github.com/urllib3/urllib3/commit/8d65ea1ecf6e2cdc27d42124e587c1b83a3118b0	Patch Third Party Advisory
2	https://github.com/urllib3/urllib3/commit/8d65ea1ecf6e2cdc27d42124e587c1b83a3118b0	Patch Third Party Advisory
3	https://github.com/urllib3/urllib3/commits/main	Patch Third Party Advisory
4	https://github.com/urllib3/urllib3/commits/main	Patch Third Party Advisory
5	https://github.com/urllib3/urllib3/security/advisories/GHSA-5phf-pp7p-vc2r	Mitigation Third Party Advisory
6	https://github.com/urllib3/urllib3/security/advisories/GHSA-5phf-pp7p-vc2r	Mitigation Third Party Advisory
7	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4S65ZQVZ2ODGB52IC7VJDBUK4M5INCXL/
8	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4S65ZQVZ2ODGB52IC7VJDBUK4M5INCXL/
9	https://pypi.org/project/urllib3/1.26.4/	Third Party Advisory
10	https://pypi.org/project/urllib3/1.26.4/	Third Party Advisory
11	https://security.gentoo.org/glsa/202107-36	Third Party Advisory
12	https://security.gentoo.org/glsa/202107-36	Third Party Advisory
13	https://security.gentoo.org/glsa/202305-02
14	https://security.gentoo.org/glsa/202305-02
15	https://security.netapp.com/advisory/ntap-20240621-0007/
16	https://security.netapp.com/advisory/ntap-20240621-0007/
17	https://www.oracle.com/security-alerts/cpuoct2021.html	Patch Third Party Advisory
18	https://www.oracle.com/security-alerts/cpuoct2021.html	Patch Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-295	不正な証明書検証	https://cwe.mitre.org/data/definitions/295.html

JVN Vulnerability Information

Python 用 urllib3 library における証明書検証に関する脆弱性

Title	Python 用 urllib3 library における証明書検証に関する脆弱性
Summary	Python 用 urllib3 library には、証明書検証に関する脆弱性が存在します。
Possible impacts	情報を取得される、および情報を改ざんされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	March 15, 2021, midnight
Registration Date	Nov. 25, 2021, 3:54 p.m.
Last Update	Nov. 25, 2021, 3:54 p.m.

Affected System

Python Software Foundation

urllib3 1.26.4 未満の 1.26.x

Fedora Project

Fedora

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2021-28363	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28363
National Vulnerability Database (NVD)
2	CVE-2021-28363	https://nvd.nist.gov/vuln/detail/CVE-2021-28363

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-295	https://cwe.mitre.org/data/definitions/295.html

ベンダー情報

No	Name	URL
Fedora Update Notification
1	FEDORA-2021-3f378dda90	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4S65ZQVZ2ODGB52IC7VJDBUK4M5INCXL/
GitHub
2	Merge pull request from GHSA-5phf-pp7p-vc2r	https://github.com/urllib3/urllib3/commit/8d65ea1ecf6e2cdc27d42124e587c1b83a3118b0
3	urllib3	https://github.com/urllib3/urllib3/commits/main
4	Using default SSLContext for HTTPS requests in an HTTPS proxy doesn't verify certificate hostname for proxy connection	https://github.com/urllib3/urllib3/security/advisories/GHSA-5phf-pp7p-vc2r
Python Package Index (PyPI)
5	urllib3 1.26.4	https://pypi.org/project/urllib3/1.26.4/

Change Log

No	Changed Details	Date of change
1	[2021年11月25日] 掲載	Nov. 25, 2021, 3:54 p.m.