Bug 1945136 (CVE-2021-28363) - CVE-2021-28363 python-urllib3: HTTPS proxy host name not validated when using default SSLContext
Summary: CVE-2021-28363 python-urllib3: HTTPS proxy host name not validated when using...
Keywords:
Status: NEW
Alias: CVE-2021-28363
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 1946227 1946228 1945137 1945138 1945141 1945142 1945271 1946224 1946225
Blocks: 1945140
TreeView+ depends on / blocked
 
Reported: 2021-03-31 12:25 UTC by Dhananjay Arunesh
Modified: 2024-06-04 10:50 UTC (History)
36 users (show)

Fixed In Version: python-urllib3 1.26.4
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in python-urllib3. SSL certificate validation is omitted in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Dhananjay Arunesh 2021-03-31 12:25:52 UTC 
The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted.

References:
https://github.com/urllib3/urllib3/commit/8d65ea1ecf6e2cdc27d42124e587c1b83a3118b0
https://github.com/urllib3/urllib3/security/advisories/GHSA-5phf-pp7p-vc2r
https://pypi.org/project/urllib3/1.26.4/
Comment 1 Dhananjay Arunesh 2021-03-31 12:27:40 UTC 
Created python-pip tracking bugs for this issue:

Affects: fedora-all [bug 1945142]


Created python-pip-epel tracking bugs for this issue:

Affects: epel-7 [bug 1945137]


Created python-urllib3 tracking bugs for this issue:

Affects: fedora-all [bug 1945141]


Created python3-urllib3 tracking bugs for this issue:

Affects: epel-all [bug 1945138]
Comment 2 Miro Hrončok 2021-03-31 13:07:30 UTC 
Does this affect urllib3 1.25.x?
Comment 6 Tomas Hoger 2021-04-01 09:19:18 UTC 
(In reply to Miro Hrončok from comment #2)
> Does this affect urllib3 1.25.x?

Probably not, as upstream only added support for HTTPS proxies in 1.26.0:

https://github.com/urllib3/urllib3/blob/1.26.0/CHANGES.rst

That's likely the reason why CVE description explicitly mentions 1.26.x:  The urllib3 library 1.26.x before 1.26.4 ...
Comment 7 Tomas Hoger 2021-04-01 21:02:37 UTC 
As support for HTTPS proxies was only added in urllib3 version 1.26.0 (see comment 6 above), earlier versions are not affected by this flaw.  Version 1.26.0 is not yet used in Red Hat Enterprise Linux or Fedora.

Only versions 1.26.0 - 1.26.3 are affected by this issue.
Comment 12 Hardik Vyas 2021-04-08 11:36:00 UTC 
Statement:

* Red Hat OpenShift Container Platform (OCP) 4 delivers the python-urllib3 package which includes a vulnerable version of urllib3 module, however from OCP 4.6 the python-urllib3 package is no longer shipped. OCP 4.5 is out of support scope for Moderate and Low impact vulnerabilities, hence is marked Out Of Support Scope.

* Red Hat CodeReady WorkSpaces 2 and Red Hat Gluster Storage 3 are not affected by this flaw because both the products does not ship a vulnerable version of urllib3.
Note You need to log in before you can comment on or make changes to this bug.