CVE Vulnerabilities

CVE-2019-11324

Improper Certificate Validation

Published: Apr 18, 2019 | Modified: Nov 07, 2023
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS 2.x
5 MEDIUM
AV:N/AC:L/Au:N/C:N/I:P/A:N
RedHat/V2
RedHat/V3
7.5 MODERATE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Ubuntu
MEDIUM

The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.

Weakness

The product does not validate, or incorrectly validates, a certificate.

Affected Software

Name Vendor Start Version End Version
Urllib3 Python * 1.24.2 (excluding)
Red Hat Enterprise Linux 7 RedHat python-pip-0:9.0.3-7.el7_7 *
Red Hat Enterprise Linux 7 RedHat python-pip-0:9.0.3-7.el7_8 *
Red Hat Enterprise Linux 8 RedHat python27:2.7-8010020190903182548.51c94b97 *
Red Hat Enterprise Linux 8 RedHat python27:2.7-8020020200117110429.90f98d4f *
Red Hat Enterprise Linux 8 RedHat python-pip-0:9.0.3-16.el8 *
Red Hat Enterprise Linux 8 RedHat python-urllib3-0:1.24.2-2.el8 *
Red Hat Enterprise Linux 8 RedHat python-pip-0:9.0.3-16.el8 *
Red Hat OpenShift Container Platform 4.3 RedHat python-urllib3-0:1.24.3-1.el7 *
Red Hat OpenShift Container Platform 4.4 RedHat python-urllib3-0:1.24.3-1.el7 *
Python-urllib3 Ubuntu bionic *
Python-urllib3 Ubuntu cosmic *
Python-urllib3 Ubuntu devel *
Python-urllib3 Ubuntu disco *
Python-urllib3 Ubuntu esm-infra/bionic *
Python-urllib3 Ubuntu trusty *
Python-urllib3 Ubuntu upstream *

Potential Mitigations

References