Improper Certificate Validation Affecting urllib3 package, versions [1.17,1.18.1)


0.0
low

Snyk CVSS

    Attack Complexity High

    Threat Intelligence

    EPSS 0.07% (28th percentile)
Expand this section
NVD
3.7 low

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-URLLIB3-40441
  • published 27 Oct 2016
  • disclosed 27 Oct 2016
  • credit Cory Benfield

Overview

urllib3 is a HTTP library with thread-safe connection pooling, file post, and more.

Affected versions of this package fail to validate TSL certificates in certain configurations. This places users of the library with those configurations at risk of man-in-the-middle and information leakage attacks. This vulnerability affects users using versions 1.17 and 1.18 of the urllib3 library, who are using the optional PyOpenSSL support for TLS instead of the regular standard library TLS backend, and who are using OpenSSL 1.1.0 via PyOpenSSL. This is an extremely uncommon configuration, so the security impact of this vulnerability is low.