Main Vulnerability Database Vulnerabilities #VU21780

#VU21780 Improper Certificate Validation in urllib3 - CVE-2019-11324

Published: October 15, 2019 / Updated: June 20, 2021

Vulnerability identifier: #VU21780

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Green

CVE-ID: CVE-2019-11324

CWE-ID: CWE-295

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vulnerable software:
urllib3

Software vendor:
urlib3

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the urllib3 library for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates. A remote attacker can cause the certificates to be considered trusted contrary to expectations. This is related to use of the "ssl_context", "ca_certs" or "ca_certs_dir" argument.

Remediation

Install updates from vendor's website.

External links

https://github.com/urllib3/urllib3/compare/a6ec68a...1efadf4