#VU51604 Improper validation of certificate with host mismatch in urllib3 - CVE-2021-28363
Vulnerability identifier: #VU51604
Vulnerability risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID:
CWE-ID:
CWE-297
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
urllib3
Other software /
Other software solutions
Vendor: shazow (Andrey Petrov)
Description
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to urllib3 library for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given
via proxy_config) doesn't verify the hostname of the certificate. This
means certificates for different servers that still validate properly
with the default urllib3 SSLContext will be silently accepted. A remote attacker can supply a valid SSL certificate for a different hostname and perform Man-in-the-Middle (MitM) attack.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
urllib3: 1.26.0 - 1.26.3
External links
https://github.com/urllib3/urllib3/commit/8d65ea1ecf6e2cdc27d42124e587c1b83a3118b0
https://github.com/urllib3/urllib3/commits/main
https://github.com/urllib3/urllib3/security/advisories/GHSA-5phf-pp7p-vc2r
https://pypi.org/project/urllib3/1.26.4/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
