EIQ-2019-0022



ID

EIQ-2019-0022

CVE

CVE-2019-11324

Description

SSL connection with improper authentication in urllib3 versions 1.24.1 and earlier

Date

22 Apr 2019

Severity

3 - HIGH

CVSSv3 score

7.5

Status

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/check.svg 2.4.0

Assessment

The CA certificate handler component in the urllib3 library versions 1.24.1 and earlier incorrectly handles cases when the desired CA certificates do not match the corresponding CA certificates in the system certificate store.
urllib3 could enable weak/improper authentication by validating a system CA certificate, even if a user-provided CA certificate is explicitly requested and made available for this purpose.

Because of weak/improper authentication, it could be possible to initiate a SSL connection, when it would normally not be allowed because of verification failure.
This could enable an attacker to carry out a man-in-the-middle (MITM) attack, where they could bypass CA authentication by using a certificate signed by an authority recognized by the OS – the system CA – instead of the user-provided CA.

An attacker could exploit this vulnerability by manipulating the ssl_context, ca_certs, or ca_certs_dir arguments with unknown input.

Mitigation

Upgrade urllib3 to version 1.24.2 or later.

Affected versions

2.3.4 and earlier.

Notes

For more information, see:

< Back to all security issues and mitigation actions


In release notes 2.4.0