{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-28363", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-03T21:40:14.323Z", "dateReserved": "2021-03-13T00:00:00", "datePublished": "2021-03-15T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-06-21T19:08:26.504484"}, "descriptions": [{"lang": "en", "value": "The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/urllib3/urllib3/commits/main"}, {"name": "FEDORA-2021-3f378dda90", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4S65ZQVZ2ODGB52IC7VJDBUK4M5INCXL/"}, {"name": "GLSA-202107-36", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202107-36"}, {"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"url": "https://pypi.org/project/urllib3/1.26.4/"}, {"url": "https://github.com/urllib3/urllib3/commit/8d65ea1ecf6e2cdc27d42124e587c1b83a3118b0"}, {"url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-5phf-pp7p-vc2r"}, {"name": "GLSA-202305-02", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202305-02"}, {"url": "https://security.netapp.com/advisory/ntap-20240621-0007/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T21:40:14.323Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/urllib3/urllib3/commits/main", "tags": ["x_transferred"]}, {"name": "FEDORA-2021-3f378dda90", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4S65ZQVZ2ODGB52IC7VJDBUK4M5INCXL/"}, {"name": "GLSA-202107-36", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202107-36"}, {"url": "https://www.oracle.com/security-alerts/cpuoct2021.html", "tags": ["x_transferred"]}, {"url": "https://pypi.org/project/urllib3/1.26.4/", "tags": ["x_transferred"]}, {"url": "https://github.com/urllib3/urllib3/commit/8d65ea1ecf6e2cdc27d42124e587c1b83a3118b0", "tags": ["x_transferred"]}, {"url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-5phf-pp7p-vc2r", "tags": ["x_transferred"]}, {"name": "GLSA-202305-02", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202305-02"}, {"url": "https://security.netapp.com/advisory/ntap-20240621-0007/", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:python:urllib3:*:*:*:*:*:*:*:*", "matchCriteriaId": "E96214AF-6F58-4B98-9C24-CF7917C431DB", "versionEndExcluding": "1.26.4", "versionStartIncluding": "1.26.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*", "matchCriteriaId": "C8AF00C6-B97F-414D-A8DF-057E6BFD8597", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted."}, {"lang": "es", "value": "La biblioteca urllib3 versiones 1.26.x anteriores a 1.26.4 para Python, omite una comprobaci\u00f3n del certificado SSL en algunos casos que involucran HTTPS a proxies HTTPS. La conexi\u00f3n inicial al proxy HTTPS (si no se proporciona un SSLContext por medio de proxy_config) no verifica el nombre de host del certificado. Esto significa que los certificados para diferentes servidores que a\u00fan se comprueban apropiadamente con el urllib3 SSLContext predeterminado ser\u00e1n aceptados silenciosamente"}], "id": "CVE-2021-28363", "lastModified": "2024-11-21T05:59:35.823", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-03-15T18:15:19.017", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/urllib3/urllib3/commit/8d65ea1ecf6e2cdc27d42124e587c1b83a3118b0"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/urllib3/urllib3/commits/main"}, {"source": "cve@mitre.org", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-5phf-pp7p-vc2r"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4S65ZQVZ2ODGB52IC7VJDBUK4M5INCXL/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://pypi.org/project/urllib3/1.26.4/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202107-36"}, {"source": "cve@mitre.org", "url": "https://security.gentoo.org/glsa/202305-02"}, {"source": "cve@mitre.org", "url": "https://security.netapp.com/advisory/ntap-20240621-0007/"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/urllib3/urllib3/commit/8d65ea1ecf6e2cdc27d42124e587c1b83a3118b0"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/urllib3/urllib3/commits/main"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-5phf-pp7p-vc2r"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4S65ZQVZ2ODGB52IC7VJDBUK4M5INCXL/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://pypi.org/project/urllib3/1.26.4/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202107-36"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.gentoo.org/glsa/202305-02"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20240621-0007/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHBA-2021:1147", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "python-urllib3-1:1.24.3-2.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2021-04-21T00:00:00Z"}], "bugzilla": {"description": "python-urllib3: HTTPS proxy host name not validated when using default SSLContext", "id": "1945136", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1945136"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-295", "details": ["The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted.", "A flaw was found in python-urllib3. SSL certificate validation is omitted in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted."], "name": "CVE-2021-28363", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "python-urllib3", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "python-pip", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "python-urllib3", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python27:2.7/python2-pip", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python27:2.7/python-urllib3", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python38:3.8/python3x-pip", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python38:3.8/python-urllib3", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python39:3.9/python-urllib3", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python-pip", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python-urllib3", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "python-urllib3", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Out of support scope", "package_name": "python-urllib3", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Not affected", "package_name": "python-urllib3", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Not affected", "package_name": "python-urllib3", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Not affected", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "python27-python-pip", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-mongodb36-python-urllib3", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-python36-python-pip", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-python38-python-pip", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-python38-python-urllib3", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "python-urllib3", "product_name": "Red Hat Storage 3"}], "public_date": "2021-03-15T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-28363\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-28363"], "statement": "* Red Hat OpenShift Container Platform (OCP) 4 delivers the python-urllib3 package which includes a vulnerable version of urllib3 module, however from OCP 4.6 the python-urllib3 package is no longer shipped. OCP 4.5 is out of support scope for Moderate and Low impact vulnerabilities, hence is marked Out Of Support Scope.\n* Red Hat CodeReady WorkSpaces 2 and Red Hat Gluster Storage 3 are not affected by this flaw because both the products does not ship a vulnerable version of urllib3.", "threat_severity": "Moderate", "upstream_fix": "python-urllib3 1.26.4"}