Vulnerability CVE-2019-11324


Published: 2019-04-18

Description:
The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.

Type:

CWE-295

(Certificate Issues)

Vendor: Canonical
Product: Ubuntu linux 
Version:
19.04
18.10
18.04
16.04
Vendor: Python
Product: Urllib3 
Version:
1.9.1
1.9
1.8.3
1.8.2
1.8.1
1.8
1.7.1
1.7
1.6
1.5
1.4
1.3
1.24.1
1.24
1.23
1.22
1.21.1
1.21
1.20
1.2.1
1.19.1
1.19
1.18.1
1.18
1.17
1.16
1.15.1
1.15
1.14
1.13.1
1.13
1.12
1.11
1.10.4
1.10.3
1.10.2
1.10.1
1.10
1.0.2
1.0.1
1.0
0.4.1
0.4
0.3.1
0.3
Vendor: Urllib3 project
Product: Urllib3 
Version: 1.24.2;

CVSS2 => (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

 References:
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00039.html
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00041.html
http://www.openwall.com/lists/oss-security/2019/04/19/1
https://github.com/urllib3/urllib3/compare/a6ec68a...1efadf4
https://usn.ubuntu.com/3990-1/

Copyright 2019, cxsecurity.com

 

Back to Top