The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted.

The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies.
The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

The remote host is affected by the vulnerability described in GLSA-202305-02 (Python, PyPy3: Multiple Vulnerabilities)

  - In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands     discovered in the system mailcap file. This may allow attackers to inject shell commands into applications     that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or     arguments). The fix is also back-ported to 3.7, 3.8, 3.9 (CVE-2015-20107)

  - A vulnerability was found in openstack-nova's console proxy, noVNC. By crafting a malicious URL, noVNC     could be made to redirect to any desired URL. (CVE-2021-3654)

  - The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases     involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given     via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different     servers that still validate properly with the default urllib3 SSLContext will be silently accepted.
    (CVE-2021-28363)

  - ** DISPUTED ** Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to     no protection against multiple (/) at the beginning of URI path which may leads to information disclosure.
    NOTE: this is disputed by a third party because the http.server.html documentation page states Warning:
    http.server is not recommended for production. It only implements basic security checks. (CVE-2021-28861)

  - In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP     address string. This (in some situations) allows attackers to bypass access control that is based on IP     addresses. (CVE-2021-29921)

  - A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform     Resource Locator (URL) strings into components. The issue involves how the urlparse method does not     sanitize input and allows characters like '\r' and '\n' in the URL path. This flaw allows an attacker to     input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1,     3.9.5, 3.8.11, 3.7.11 and 3.6.14. (CVE-2022-0391)

  - The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer     overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties.
    This occurs in the sponge function interface. (CVE-2022-37454)

  - Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-     default configuration. The Python multiprocessing library, when used with the forkserver start method on     Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which     in many system configurations means any user on the same machine. Pickles can execute arbitrary code.
    Thus, this allows for local user privilege escalation to the user that any forkserver process is running     as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start     method for multiprocessing is not the default start method. This issue is Linux specific because only     Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract     namespace sockets by default. Support for users manually specifying an abstract namespace socket was added     as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do     that in CPython before 3.9. (CVE-2022-42919)

  - An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path     when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name     being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by     remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger     excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname.
    For example, the attack payload could be placed in the Location header of an HTTP response with status     code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16. (CVE-2022-45061)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It is, therefore, affected by a vulnerability as referenced in the ALAS2-2021-1667 advisory.

    The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases     involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given     via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different     servers that still validate properly with the default urllib3 SSLContext will be silently accepted.
    (CVE-2021-28363)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of python3 installed on the remote host is prior to 3.9.11. It is, therefore, affected by a vulnerability as referenced in the SSA:2022-077-01 advisory.

  - The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases     involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given     via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different     servers that still validate properly with the default urllib3 SSLContext will be silently accepted.
    (CVE-2021-28363)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-202107-36 (urllib3: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in urllib3. Please review       the CVE identifiers referenced below for details.
  Impact :

    An attacker could cause a possible Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

ID	Name	Product	Family	Severity
504104	Siemens SIMATIC S7-1500 Improper Certificate Validation (CVE-2021-28363)	Tenable OT Security	Tenable.ot	medium
175043	GLSA-202305-02 : Python, PyPy3: Multiple Vulnerabilities	Nessus	Gentoo Local Security Checks	critical
169523	Amazon Linux 2 : python-pip (ALAS-2021-1667)	Nessus	Amazon Linux Local Security Checks	medium
159068	Slackware Linux 15.0 / current python3 Vulnerability (SSA:2022-077-01)	Nessus	Slackware Local Security Checks	medium
157001	GLSA-202107-36 : urllib3: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	medium

Detections

Analytics

CVE-2021-28363

medium

Tenable Plugins

medium

critical

medium

medium

medium