CVE-2019-11324

The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 79%
VendorProductVersion
pythonurllib3
𝑥
< 1.24.2
canonicalubuntu_linux
16.04
canonicalubuntu_linux
18.04
canonicalubuntu_linux
18.10
canonicalubuntu_linux
19.04
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python-urllib3
bullseye
1.26.5-1~exp1
fixed
jessie
not-affected
bookworm
1.26.12-1
fixed
sid
2.0.7-2
fixed
trixie
2.0.7-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-urllib3
disco
Fixed 1.24.1-1ubuntu0.1
released
cosmic
Fixed 1.22-1ubuntu0.18.10.1
released
bionic
Fixed 1.22-1ubuntu0.18.04.1
released
xenial
not-affected
trusty
not-affected
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00039.html
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00041.html
http://www.openwall.com/lists/oss-security/2019/04/19/1
https://access.redhat.com/errata/RHSA-2019:3335
https://access.redhat.com/errata/RHSA-2019:3590
https://github.com/urllib3/urllib3/compare/a6ec68a...1efadf4
https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html
https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NKGPJLVLVYCL4L4B4G5TIOTVK4BKPG72/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XOSA2NT4DUQDBEIWE6O7KKD24XND7TE2/
https://usn.ubuntu.com/3990-1/
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00039.html
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00041.html
http://www.openwall.com/lists/oss-security/2019/04/19/1
https://access.redhat.com/errata/RHSA-2019:3335
https://access.redhat.com/errata/RHSA-2019:3590
https://github.com/urllib3/urllib3/compare/a6ec68a...1efadf4
https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html
https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NKGPJLVLVYCL4L4B4G5TIOTVK4BKPG72/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XOSA2NT4DUQDBEIWE6O7KKD24XND7TE2/
https://usn.ubuntu.com/3990-1/