Improper Certificate Validation Affecting urllib3 package, versions [1.17,1.18.1)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-URLLIB3-40441
- published 27 Oct 2016
- disclosed 27 Oct 2016
- credit Cory Benfield
Introduced: 27 Oct 2016
CVE-2016-9015 Open this link in a new tabOverview
urllib3 is a HTTP library with thread-safe connection pooling, file post, and more.
Affected versions of this package fail to validate TSL certificates in certain configurations. This places users of the library with those configurations at risk of man-in-the-middle and information leakage attacks. This vulnerability affects users using versions 1.17 and 1.18 of the urllib3 library, who are using the optional PyOpenSSL support for TLS instead of the regular standard library TLS backend, and who are using OpenSSL 1.1.0 via PyOpenSSL. This is an extremely uncommon configuration, so the security impact of this vulnerability is low.