The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.
Advisories
Source ID Title
Debian DLA Debian DLA DLA-2686-1 python-urllib3 security update
Debian DLA Debian DLA DLA-3610-1 python-urllib3 security update
EUVD EUVD EUVD-2019-0153 The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.
Github GHSA Github GHSA GHSA-mh33-7rrq-662w Improper Certificate Validation in urllib3
Ubuntu USN Ubuntu USN USN-3990-1 urllib3 vulnerabilities
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2024-08-04T22:48:09.221Z

Reserved: 2019-04-18T00:00:00

Link: CVE-2019-11324

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2019-04-18T21:29:00.883

Modified: 2024-11-21T04:20:53.373

Link: CVE-2019-11324

cve-icon Redhat

Severity : Moderate

Publid Date: 2019-04-17T00:00:00Z

Links: CVE-2019-11324 - Bugzilla

cve-icon OpenCVE Enrichment

No data.