CVE-2019-11324
Last modified
CVE-2019-11324 is a vulnerability of currently unknown severity. The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.. EPSS estimates a 2.81% chance of exploitation in the next 30 days.
Description
The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Python | Urllib3 | < 1.24.2 |
| Canonical | Ubuntu Linux | 16.04 |
| Canonical | Ubuntu Linux | 18.04 |
| Canonical | Ubuntu Linux | 18.10 |
| Canonical | Ubuntu Linux | 19.04 |
References
- http://www.openwall.com/lists/oss-security/2019/04/19/1Mailing List, Third Party Advisory
- https://github.com/urllib3/urllib3/compare/a6ec68a...1efadf4Patch, Third Party Advisory
- https://usn.ubuntu.com/3990-1/Third Party Advisory
- http://www.openwall.com/lists/oss-security/2019/04/19/1Mailing List, Third Party Advisory
- https://github.com/urllib3/urllib3/compare/a6ec68a...1efadf4Patch, Third Party Advisory
- https://usn.ubuntu.com/3990-1/Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2019-11324?
How severe is CVE-2019-11324?
How do I fix CVE-2019-11324?
Are you affected by CVE-2019-11324?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST