Python urllib3 ライブラリにおける特定の設定下で TLS 証明書を適切に検証しない脆弱性
| Title |
Python urllib3 ライブラリにおける特定の設定下で TLS 証明書を適切に検証しない脆弱性
|
| Summary |
Python urllib3 ライブラリには、特定の設定下で TLS 証明書を適切に検証しない脆弱性が存在します。
|
| Possible impacts |
特定の設定下で TLS 証明書を適切に検証しない可能性があります。 |
| Solution |
ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。 |
| Publication Date |
Oct. 27, 2016, midnight |
| Registration Date |
Jan. 24, 2017, 3:13 p.m. |
| Last Update |
Jan. 24, 2017, 3:13 p.m. |
|
CVSS3.0 : 低
|
| Score |
3.7
|
| Vector |
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
CVSS2.0 : 注意
|
| Score |
2.6
|
| Vector |
AV:N/AC:H/Au:N/C:P/I:N/A:N |
Affected System
| Python Software Foundation |
|
urllib3 1.18.1 未満
|
CVE (情報セキュリティ 共通脆弱性識別子)
CWE (共通脆弱性タイプ一覧)
ベンダー情報
Change Log
| No |
Changed Details |
Date of change |
| 0 |
[2017年01月24日]
掲載 |
Feb. 17, 2018, 10:37 a.m. |
NVD Vulnerability Information
CVE-2016-9015
| Summary |
Versions 1.17 and 1.18 of the Python urllib3 library suffer from a vulnerability that can cause them, in certain configurations, to not correctly validate TLS certificates. This places users of the library with those configurations at risk of man-in-the-middle and information leakage attacks. This vulnerability affects users using versions 1.17 and 1.18 of the urllib3 library, who are using the optional PyOpenSSL support for TLS instead of the regular standard library TLS backend, and who are using OpenSSL 1.1.0 via PyOpenSSL. This is an extremely uncommon configuration, so the security impact of this vulnerability is low.
|
| Publication Date |
Jan. 12, 2017, 1:59 a.m. |
| Registration Date |
Jan. 26, 2021, 2:19 p.m. |
| Last Update |
Nov. 21, 2024, noon |
Affected software configurations
| Configuration1 |
or higher |
or less |
more than |
less than |
| cpe:2.3:a:python:urllib3:1.17:*:*:*:*:*:*:* |
|
|
|
|
| cpe:2.3:a:python:urllib3:1.18:*:*:*:*:*:*:* |
|
|
|
|
Related information, measures and tools
Common Vulnerabilities List