{ "threat_severity" : "Moderate", "public_date" : "2021-03-15T00:00:00Z", "bugzilla" : { "description" : "python-urllib3: HTTPS proxy host name not validated when using default SSLContext", "id" : "1945136", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1945136" }, "cvss3" : { "cvss3_base_score" : "6.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "status" : "verified" }, "cwe" : "CWE-295", "details" : [ "The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted.", "A flaw was found in python-urllib3. SSL certificate validation is omitted in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted." ], "statement" : "* Red Hat OpenShift Container Platform (OCP) 4 delivers the python-urllib3 package which includes a vulnerable version of urllib3 module, however from OCP 4.6 the python-urllib3 package is no longer shipped. OCP 4.5 is out of support scope for Moderate and Low impact vulnerabilities, hence is marked Out Of Support Scope.\n* Red Hat CodeReady WorkSpaces 2 and Red Hat Gluster Storage 3 are not affected by this flaw because both the products does not ship a vulnerable version of urllib3.", "affected_release" : [ { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2021-04-21T00:00:00Z", "advisory" : "RHBA-2021:1147", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "python-urllib3-1:1.24.3-2.el7" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "python-urllib3", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "python-pip", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "python-urllib3", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "python27:2.7/python2-pip", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "python27:2.7/python-urllib3", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "python38:3.8/python3x-pip", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "python38:3.8/python-urllib3", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "python39:3.9/python-urllib3", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "python-pip", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "python-urllib3", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "python-urllib3", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Out of support scope", "package_name" : "python-urllib3", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenStack Platform 10 (Newton)", "fix_state" : "Not affected", "package_name" : "python-urllib3", "cpe" : "cpe:/a:redhat:openstack:10" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "python-urllib3", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat Quay 3", "fix_state" : "Not affected", "package_name" : "quay/quay-rhel8", "cpe" : "cpe:/a:redhat:quay:3" }, { "product_name" : "Red Hat Software Collections", "fix_state" : "Not affected", "package_name" : "python27-python-pip", "cpe" : "cpe:/a:redhat:rhel_software_collections:3" }, { "product_name" : "Red Hat Software Collections", "fix_state" : "Not affected", "package_name" : "rh-mongodb36-python-urllib3", "cpe" : "cpe:/a:redhat:rhel_software_collections:3" }, { "product_name" : "Red Hat Software Collections", "fix_state" : "Not affected", "package_name" : "rh-python36-python-pip", "cpe" : "cpe:/a:redhat:rhel_software_collections:3" }, { "product_name" : "Red Hat Software Collections", "fix_state" : "Not affected", "package_name" : "rh-python38-python-pip", "cpe" : "cpe:/a:redhat:rhel_software_collections:3" }, { "product_name" : "Red Hat Software Collections", "fix_state" : "Not affected", "package_name" : "rh-python38-python-urllib3", "cpe" : "cpe:/a:redhat:rhel_software_collections:3" }, { "product_name" : "Red Hat Storage 3", "fix_state" : "Not affected", "package_name" : "python-urllib3", "cpe" : "cpe:/a:redhat:storage:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-28363\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-28363" ], "name" : "CVE-2021-28363", "csaw" : false }