Main Vulnerability Database SB2019041823

SB2019041823 - Improper certificate validation in urllib3 library for Python

Published: April 18, 2019 Updated: June 20, 2021

Security Bulletin ID SB2019041823

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Improper Certificate Validation (CVE-ID: CVE-2019-11324)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the urllib3 library for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates. A remote attacker can cause the certificates to be considered trusted contrary to expectations. This is related to use of the "ssl_context", "ca_certs" or "ca_certs_dir" argument.

Remediation

Install update from vendor's website.

References

https://github.com/urllib3/urllib3/compare/a6ec68a...1efadf4