PT-2017-9927 · Openssl+2 · Openssl+3

Cory Benfield

Publicado

2017-01-11

Atualizado

2024-06-18

CVE-2016-9015

CVSS v4.0

6.3

Média

Vetor

AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions urllib3 versions 1.17 through 1.18

Description The issue is related to incorrect validation of TLS certificates in certain configurations, putting users at risk of man-in-the-middle and information leakage attacks. This occurs when using the optional PyOpenSSL support for TLS with OpenSSL 1.1.0 via PyOpenSSL, instead of the standard library TLS backend. The security impact is considered low due to the uncommon nature of this configuration.

Recommendations For versions 1.17 and 1.18, consider disabling the use of PyOpenSSL support for TLS until a patch is available, or switch to using the standard library TLS backend to minimize the risk of exploitation.

Correção

Improper Certificate Validation

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-295

Identificadores relacionados

CVE-2016-9015

GHSA-V4W5-P2HG-8FH6

OPENSUSE-SU-2019_0159-1

OPENSUSE-SU-2024:10540-1

OPENSUSE-SU-2024:11277-1

OPENSUSE-SU-2024:12944-1

OPENSUSE-SU-2024:14055-1

PYSEC-2017-98

SUSE-FU-2022:0444-1

SUSE-FU-2022:0445-1

SUSE-RU-2019:2627-1

SUSE-SU-2019:0139-1

SUSE-SU-2019_0139-1

Produtos afetados

Openssl

Pyopenssl

Suse

Urllib3

PT-2017-9927 · Openssl+2 · Openssl+3

CVE-2016-9015

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 30