CVE-2014-9365

Affecting python2.7 package, versions <2.7.9-1

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

NVD Description

Note: Versions mentioned in the description apply to the upstream python2.7 package. See Remediation section below for Debian:9 relevant versions.

The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Remediation

Upgrade Debian:9 python2.7 to version 2.7.9-1 or higher.

References

CVSS Score

5.4
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    None
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
CVE
CVE-2014-9365
Snyk ID
SNYK-DEBIAN9-PYTHON27-306606
Disclosed
12 Dec, 2014
Published
12 Dec, 2014