Improper Certificate Validation Affecting urllib3 package, versions [1.17,1.18.1)


Severity

Recommended
0.0
low
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.07% (31st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PYTHON-URLLIB3-40441
  • published27 Oct 2016
  • disclosed27 Oct 2016
  • creditCory Benfield

Introduced: 27 Oct 2016

CVE-2016-9015  (opens in a new tab)
CWE-295  (opens in a new tab)

Overview

urllib3 is a HTTP library with thread-safe connection pooling, file post, and more.

Affected versions of this package fail to validate TSL certificates in certain configurations. This places users of the library with those configurations at risk of man-in-the-middle and information leakage attacks. This vulnerability affects users using versions 1.17 and 1.18 of the urllib3 library, who are using the optional PyOpenSSL support for TLS instead of the regular standard library TLS backend, and who are using OpenSSL 1.1.0 via PyOpenSSL. This is an extremely uncommon configuration, so the security impact of this vulnerability is low.

CVSS Scores

version 3.1