DescriptionThe urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-urllib3 (PTS)stretch1.19.1-1fixed
stretch (security)1.19.1-1+deb9u1fixed
bookworm, sid, bullseye1.26.5-1~exp1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-urllib3sourcestretch(not affected)
python-urllib3sourcebuster(not affected)


[buster] - python-urllib3 <not-affected> (Vulnerable code introduced later)
[stretch] - python-urllib3 <not-affected> (Vulnerable code introduced later)
Fixed by: (1.26.4)
Support for HTTPS request via HTTPS proxies only introduced in 1.26.0.
In Debian urllib3 does require SSL certificate validation by default (since 1.3-3)
with the 02_require-cert-verification.patch patch (Cf. #686872).

Search for package or bug name: Reporting problems