Safety vulnerability ID: 40014
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Urllib3 1.26.4 includes a fix for CVE-2021-28363: The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted.
https://github.com/urllib3/urllib3/security/advisories/GHSA-5phf-pp7p-vc2r
Latest version: 2.2.1
HTTP library with thread-safe connection pooling, file post, and more.
The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted. See CVE-2021-28363.
CONFIRM:https://github.com/urllib3/urllib3/commit/8d65ea1ecf6e2cdc27d42124e587c1b83a3118b0: https://github.com/urllib3/urllib3/commit/8d65ea1ecf6e2cdc27d42124e587c1b83a3118b0
CONFIRM:https://github.com/urllib3/urllib3/security/advisories/GHSA-5phf-pp7p-vc2r: https://github.com/urllib3/urllib3/security/advisories/GHSA-5phf-pp7p-vc2r
CONFIRM:https://pypi.org/project/urllib3/1.26.4/: https://pypi.org/project/urllib3/1.26.4/
MISC:https://github.com/urllib3/urllib3/commits/main: https://github.com/urllib3/urllib3/commits/main
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application