7.5

CVE-2019-11324

EPSS 1.42%
Published 18.04.2019 21:29:00
Last modified 21.11.2024 04:20:53
Source cve@mitre.org
Teams watchlist Login
Open Login

The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.

Affected products Warnungen 0 Metrics 3 CWE 1 References 14

Data is provided by the National Vulnerability Database (NVD)

Python ≫ Urllib3 Version < 1.24.2

Canonical ≫ Ubuntu Linux Version16.04 SwEditionlts

Canonical ≫ Ubuntu Linux Version18.04 SwEditionlts

Canonical ≫ Ubuntu Linux Version18.10

Canonical ≫ Ubuntu Linux Version19.04

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	1.42%	0.8

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:P/A:N

CWE-295 Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00039.html

https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html

https://usn.ubuntu.com/3990-1/

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:3335

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00041.html

https://access.redhat.com/errata/RHSA-2019:3590

https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NKGPJLVLVYCL4L4B4G5TIOTVK4BKPG72/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XOSA2NT4DUQDBEIWE6O7KKD24XND7TE2/

http://www.openwall.com/lists/oss-security/2019/04/19/1

Third Party Advisory

Mailing List

https://github.com/urllib3/urllib3/compare/a6ec68a...1efadf4

Patch

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2019-11324

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-11324

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-11324

EUVD