7.5

CVE-2019-11324

EPSS 1.42%
Veröffentlicht 18.04.2019 21:29:00
Zuletzt bearbeitet 21.11.2024 04:20:53
Quelle cve@mitre.org
Teams Watchlist Login
Unerledigt Login

The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 14

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Python ≫ Urllib3 Version < 1.24.2

Canonical ≫ Ubuntu Linux Version16.04 SwEditionlts

Canonical ≫ Ubuntu Linux Version18.04 SwEditionlts

Canonical ≫ Ubuntu Linux Version18.10

Canonical ≫ Ubuntu Linux Version19.04

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.42%	0.8

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:P/A:N

CWE-295 Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00039.html

https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html

https://usn.ubuntu.com/3990-1/

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:3335

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00041.html

https://access.redhat.com/errata/RHSA-2019:3590

https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NKGPJLVLVYCL4L4B4G5TIOTVK4BKPG72/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XOSA2NT4DUQDBEIWE6O7KKD24XND7TE2/

http://www.openwall.com/lists/oss-security/2019/04/19/1

Third Party Advisory

Mailing List

https://github.com/urllib3/urllib3/compare/a6ec68a...1efadf4

Patch

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2019-11324

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-11324

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-11324

EUVD