QwikSec

Security Database

CVE

CWE

Training

CVE-2021-28363

Published: Mar 15, 2021

Modified: Aug 3, 2024

PUBLISHED

Description

The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/urllib3/urllib3/commits/main

FEDORA-2021-3f378dda90

vendor-advisory

vendor-advisory

https://www.oracle.com/security-alerts/cpuoct2021.html

https://pypi.org/project/urllib3/1.26.4/

https://github.com/urllib3/urllib3/commit/8d65ea1ecf6e2cdc27d42124e587c1b83a3118b0

https://github.com/urllib3/urllib3/security/advisories/GHSA-5phf-pp7p-vc2r

vendor-advisory

https://security.netapp.com/advisory/ntap-20240621-0007/

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.