Improper Certificate Validation in urllib3
High severity
GitHub Reviewed
Published
Apr 19, 2019
to the GitHub Advisory Database
•
Updated Nov 18, 2024
Description
Published by the National Vulnerability Database
Apr 18, 2019
Reviewed
Apr 19, 2019
Published to the GitHub Advisory Database
Apr 19, 2019
Last updated
Nov 18, 2024
The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the
ssl_context
,ca_certs
, orca_certs_dir
argument.References