TLS Certificate Validation Flaw in Python urllib3 Library by Python Software Foundation
CVE-2016-9015

3.7LOW

Key Information:

Vendor: Python
Status: Urllib3
Vendor: CVE Published:; 11 January 2017

Summary

Versions 1.17 and 1.18 of the Python urllib3 library have a vulnerability that may lead to inadequate validation of TLS certificates under specific configurations. This affects users who utilize the optional PyOpenSSL support for TLS rather than the standard library's TLS backend, particularly when OpenSSL 1.1.0 is in use. Users operating under these uncommon settings may be exposed to man-in-the-middle attacks and potential information leakage, highlighting the importance of correctly configuring their libraries.

References

http://www.securityfocus.com/bid/93941

vdb-entryx_refsource_BID

http://www.openwall.com/lists/oss-security/2016/10/27/6

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 11, 2017
Vulnerability Reserved
Oct 25, 2016