PT-2017-9927 · Openssl+2 · Openssl+3

Cory Benfield

Published

2017-01-11

Updated

2024-06-18

CVE-2016-9015

CVSS v4.0

6.3

Medium

Vector

AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions urllib3 versions 1.17 through 1.18

Description The issue is related to incorrect validation of TLS certificates in certain configurations, putting users at risk of man-in-the-middle and information leakage attacks. This occurs when using the optional PyOpenSSL support for TLS with OpenSSL 1.1.0 via PyOpenSSL, instead of the standard library TLS backend. The security impact is considered low due to the uncommon nature of this configuration.

Recommendations For versions 1.17 and 1.18, consider disabling the use of PyOpenSSL support for TLS until a patch is available, or switch to using the standard library TLS backend to minimize the risk of exploitation.

Fix

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-295

Related Identifiers

CVE-2016-9015

GHSA-V4W5-P2HG-8FH6

OPENSUSE-SU-2019_0159-1

OPENSUSE-SU-2024:10540-1

OPENSUSE-SU-2024:11277-1

OPENSUSE-SU-2024:12944-1

OPENSUSE-SU-2024:14055-1

PYSEC-2017-98

SUSE-FU-2022:0444-1

SUSE-FU-2022:0445-1

SUSE-RU-2019:2627-1

SUSE-SU-2019:0139-1

SUSE-SU-2019_0139-1

Affected Products

Openssl

Pyopenssl

Suse

Urllib3

PT-2017-9927 · Openssl+2 · Openssl+3

CVE-2016-9015

Weakness Enumeration

Related Identifiers

Affected Products

References · 30