CVE-2021-28363 : Security Advisory and Response

A vulnerability in the urllib3 library for Python has been identified, allowing SSL certificate validation to be omitted in certain HTTPS to HTTPS proxy scenarios.

Understanding CVE-2021-28363

This section will delve into the specifics of CVE-2021-28363.

What is CVE-2021-28363?

The urllib3 library version 1.26.x before 1.26.4 for Python fails to validate SSL certificates in instances involving HTTPS to HTTPS proxies. The absence of SSL certificate validation during the initial connection to the HTTPS proxy poses a security risk.

The Impact of CVE-2021-28363

The vulnerability allows for the silent acceptance of certificates for unrelated servers that still validate correctly, potentially leading to unauthorized access or man-in-the-middle attacks.

Technical Details of CVE-2021-28363

Let's explore the technical aspects of CVE-2021-28363.

Vulnerability Description

The issue arises from the failure to verify the hostname of the certificate during the initial connection to an HTTPS proxy when no SSLContext is provided via proxy_config.

Affected Systems and Versions

All versions of the urllib3 library 1.26.x prior to 1.26.4 for Python are impacted by this vulnerability.

Exploitation Mechanism

Cyber attackers could exploit this flaw to conduct man-in-the-middle attacks between clients and HTTPS servers due to the lack of SSL certificate validation.

Mitigation and Prevention

Discover how to address and prevent CVE-2021-28363.

Immediate Steps to Take

Users are advised to update the urllib3 library to version 1.26.4 or newer to mitigate the SSL certificate validation issue.

Long-Term Security Practices

Implement regular security updates and maintain diligence in verifying SSL certificates to enhance overall system security.

Patching and Updates

Stay informed about security advisories and promptly apply patches released by urllib3 to address security vulnerabilities.