vulnerability

Red Hat OpenShift: CVE-2021-28363: HTTPS proxy host name not validated when using default SSLContext

Severity
6
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:N)
Published
Mar 15, 2021
Added
May 25, 2021
Modified
Apr 11, 2025

Description

The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted.

Solution

linuxrpm-upgrade-python-urllib3
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.