vulnerability
Red Hat OpenShift: CVE-2021-28363: HTTPS proxy host name not validated when using default SSLContext
Severity | CVSS | Published | Added | Modified |
---|---|---|---|---|
6 | (AV:N/AC:L/Au:N/C:P/I:P/A:N) | Mar 15, 2021 | May 25, 2021 | Apr 11, 2025 |
Severity
6
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:N)
Published
Mar 15, 2021
Added
May 25, 2021
Modified
Apr 11, 2025
Description
The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted.
Solution
linuxrpm-upgrade-python-urllib3

NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.