CVE-2021-28363

Name of the Vulnerable Software and Affected Versions: urllib3 versions 1.26.x through 1.26.3

Description: The issue concerns the omission of SSL certificate validation in certain cases involving HTTPS to HTTPS proxies. Specifically, when an SSLContext is not provided via proxy config, the initial connection to the HTTPS proxy does not verify the hostname of the certificate. This allows certificates for different servers to be silently accepted if they validate properly with the default urllib3 SSLContext. The issue affects users who use an HTTPS proxy to issue HTTPS requests without configuring their own SSLContext.

Recommendations: For urllib3 versions 1.26.x through 1.26.3, upgrade to urllib3 version 1.26.4 or later to resolve the issue. As a temporary workaround, consider configuring an SSLContext with check hostname=True and passing it via proxy config instead of relying on the default SSLContext.