The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted.
Metrics
Affected Vendors & Products
Advisories
Source | ID | Title |
---|---|---|
![]() |
EUVD-2021-0457 | The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted. |
![]() |
GHSA-5phf-pp7p-vc2r | Using default SSLContext for HTTPS requests in an HTTPS proxy doesn't verify certificate hostname for proxy connection |
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
No history.

Status: PUBLISHED
Assigner: mitre
Published:
Updated: 2024-08-03T21:40:14.323Z
Reserved: 2021-03-13T00:00:00
Link: CVE-2021-28363

No data.

Status : Modified
Published: 2021-03-15T18:15:19.017
Modified: 2024-11-21T05:59:35.823
Link: CVE-2021-28363


No data.