Main Vulnerability Database Vulnerabilities #VU21780

Improper Certificate Validation in urllib3 - CVE-2019-11324

Published: October 15, 2019 / Updated: June 20, 2021

Vulnerability identifier: #VU21780

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Green

CVE-ID: CVE-2019-11324

CWE-ID: CWE-295

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vendor: urlib3

Affected software:
urllib3

Detailed vulnerability description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the urllib3 library for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates. A remote attacker can cause the certificates to be considered trusted contrary to expectations. This is related to use of the "ssl_context", "ca_certs" or "ca_certs_dir" argument.

How to mitigate CVE-2019-11324

Install updates from vendor's website.

Sources

https://github.com/urllib3/urllib3/compare/a6ec68a...1efadf4

Improper Certificate Validation in urllib3 - CVE-2019-11324

Detailed vulnerability description

How to mitigate CVE-2019-11324

Sources

Please verify you're human