You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description from CVE
The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted.
Explanation
The urllib3 package is vulnerable to Improper Certificate Validation. The _connect_tls_proxy function in the connection.py file does not validate TLS certificate hostnames. A Man-in-the-Middle (MitM) attacker can leverage this vulnerability to decrypt and modify data in transit by providing a malicious certificate that exploits this issue.
The text was updated successfully, but these errors were encountered:
With the release of Pex 2.1.104 there is now the option to use --pip-version 22.2.2 which will have the vendored Pip used 1 time to download the 22.2.2 version of Pip which will be used from then forward whenever --pip=version 22.2.2 is specified. This is much akin to pip install -U pip.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-28363
Report excerpt:
The text was updated successfully, but these errors were encountered: