CVE-2021-28363
Insufficient Certificate Validation vulnerability in urllib3 (PyPI)
What is CVE-2021-28363 About?
This vulnerability affects users of `urllib3` who use an HTTPS proxy without configuring a custom `SSLContext`, impacting only the default `SSLContext`. The issue arises because the default `SSLContext` might not correctly validate hostnames when making HTTPS requests through an HTTPS proxy. This could lead to a Man-in-the-Middle (MitM) attack. Exploitation difficulty depends on the attacker's ability to intercept traffic and present a forged certificate.
Affected Software
- urllib3
- >1.26.0, <1.26.4
- <8d65ea1ecf6e2cdc27d42124e587c1b83a3118b0
Technical Details
The vulnerability in urllib3 affects users who route HTTPS requests through an HTTPS proxy and rely on the default SSLContext without explicit configuration. Specifically, in versions urllib3 >=1.26.4, the issue is resolved. For vulnerable configurations, when urllib3 establishes an HTTPS connection through an HTTPS proxy, the default SSLContext may fail to properly enforce check_hostname=True, leading to insufficient validation of the server's hostname against its provided SSL certificate. This oversight means that a malicious proxy or an attacker capable of intercepting network traffic could present a forged certificate, and the client would accept it, thereby enabling a Man-in-the-Middle (MitM) attack.
What is the Impact of CVE-2021-28363?
Successful exploitation may allow attackers to perform Man-in-the-Middle (MitM) attacks, intercepting and potentially altering encrypted communications by presenting a forged SSL certificate.
What is the Exploitability of CVE-2021-28363?
Exploitation requires an attacker to be in a position to perform a Man-in-the-Middle (MitM) attack. This typically involves controlling the network path or operating a malicious proxy server that the victim's application is configured to use. The attacker would then present a forged SSL certificate. There are no authentication or privilege requirements on the victim's application side beyond having it configured to use the compromised proxy or network. This is a remote vulnerability, but it relies heavily on network interception capabilities. The complexity is tied to an attacker's ability to position themselves between the client and the legitimate server. The primary condition is the use of HTTPS proxies with default SSLContext configurations, making it easier to exploit in environments where proxy configurations are not rigorously managed.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-28363?
Available Upgrade Options
- urllib3
- >1.26.0, <1.26.4 → Upgrade to 1.26.4
- urllib3
- <8d65ea1ecf6e2cdc27d42124e587c1b83a3118b0 → Upgrade to 8d65ea1ecf6e2cdc27d42124e587c1b83a3118b0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://github.com/urllib3/urllib3/commits/main
- https://security.gentoo.org/glsa/202305-02
- https://pypi.org/project/urllib3/1.26.4
- https://github.com/urllib3/urllib3
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4S65ZQVZ2ODGB52IC7VJDBUK4M5INCXL/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4S65ZQVZ2ODGB52IC7VJDBUK4M5INCXL
- https://security.gentoo.org/glsa/202107-36
- https://github.com/urllib3/urllib3/security/advisories/GHSA-5phf-pp7p-vc2r
- https://github.com/urllib3/urllib3/commit/8d65ea1ecf6e2cdc27d42124e587c1b83a3118b0
What are Similar Vulnerabilities to CVE-2021-28363?
Similar Vulnerabilities: CVE-2023-38407 , CVE-2022-24765 , CVE-2021-31597 , CVE-2020-13777 , CVE-2018-1000139
