Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
0

CVE-2019-11324

Disclosure Date: April 18, 2019
CVE-2019-11324
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Vector:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • canonical,
  • python

Products

  • ubuntu linux 16.04,
  • ubuntu linux 18.04,
  • ubuntu linux 18.10,
  • ubuntu linux 19.04,
  • urllib3

References

Canonical
CVE-2019-11324 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11324)
Advisory
[oss-security] 20190418 Re: urllib3: adds system certificates to ssl_context (http://www.openwall.com/lists/oss-security/2019/04/19/1)
USN-3990-1 (https://usn.ubuntu.com/3990-1)
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00039.html
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00041.html
https://access.redhat.com/errata/RHSA-2019:3590
https://access.redhat.com/errata/RHSA-2019:3335
FEDORA-2020-6148c44137 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NKGPJLVLVYCL4L4B4G5TIOTVK4BKPG72)
FEDORA-2020-d0d9ad17d8 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XOSA2NT4DUQDBEIWE6O7KKD24XND7TE2)
USN-3990-1 (https://usn.ubuntu.com/3990-1/)
FEDORA-2020-6148c44137 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NKGPJLVLVYCL4L4B4G5TIOTVK4BKPG72/)
FEDORA-2020-d0d9ad17d8 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XOSA2NT4DUQDBEIWE6O7KKD24XND7TE2/)
[debian-lts-announce] 20210615 [SECURITY] [DLA 2686-1] python-urllib3 security update (https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html)
[debian-lts-announce] 20231008 [SECURITY] [DLA 3610-1] python-urllib3 security update (https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html)
Miscellaneous
https://github.com/urllib3/urllib3/compare/a6ec68a...1efadf4

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis