CVE-2021-28363

The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isnt given via proxy_config) doesnt verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted.

Weakness

The product does not validate, or incorrectly validates, a certificate.

Affected Software

Name	Vendor	Start Version	End Version
Urllib3	Python	1.26.0 (including)	1.26.4 (excluding)
Red Hat OpenShift Container Platform 3.11	RedHat	python-urllib3-1:1.24.3-2.el7	*
Python-pip	Ubuntu	devel	*
Python-pip	Ubuntu	trusty	*
Python-pip	Ubuntu	upstream	*
Python-urllib3	Ubuntu	devel	*
Python-urllib3	Ubuntu	trusty	*
Python-urllib3	Ubuntu	upstream	*

Potential Mitigations

https://cwe.mitre.org/data/definitions/459.html
https://cwe.mitre.org/data/definitions/475.html

References

https://github.com/urllib3/urllib3/commit/8d65ea1ecf6e2cdc27d42124e587c1b83a3118b0
https://github.com/urllib3/urllib3/commits/main
https://github.com/urllib3/urllib3/security/advisories/GHSA-5phf-pp7p-vc2r
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4S65ZQVZ2ODGB52IC7VJDBUK4M5INCXL/
https://pypi.org/project/urllib3/1.26.4/
https://security.gentoo.org/glsa/202107-36
https://security.gentoo.org/glsa/202305-02
https://security.netapp.com/advisory/ntap-20240621-0007/
https://www.oracle.com/security-alerts/cpuoct2021.html

NVD	https://nvd.nist.gov/vuln/detail/CVE-2021-28363
CWE	https://cwe.mitre.org/data/definitions/295.html

Improper Certificate Validation

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References