CVE-2019-11324 – urllib3

Package

Manager: pip
Name: urllib3
Vulnerable Version: >=0 <1.24.2

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.01449 pctl0.80027

Details

Improper Certificate Validation in urllib3 The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the `ssl_context`, `ca_certs`, or `ca_certs_dir` argument.

Metadata

Created: 2019-04-19T16:55:10Z
Modified: 2024-11-18T22:10:50Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-mh33-7rrq-662w/GHSA-mh33-7rrq-662w.json
CWE IDs: ["CWE-295"]
Alternative ID: GHSA-mh33-7rrq-662w
Finding: F163
Auto approve: 1