CVE-2016-9015
First published: Wed Jan 11 2017(Updated: )
Versions 1.17 and 1.18 of the Python urllib3 library suffer from a vulnerability that can cause them, in certain configurations, to not correctly validate TLS certificates. This places users of the library with those configurations at risk of man-in-the-middle and information leakage attacks. This vulnerability affects users using versions 1.17 and 1.18 of the urllib3 library, who are using the optional PyOpenSSL support for TLS instead of the regular standard library TLS backend, and who are using OpenSSL 1.1.0 via PyOpenSSL. This is an extremely uncommon configuration, so the security impact of this vulnerability is low.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/urllib3 | >=1.17<=1.18 | 1.18.1 |
| Python 3 urllib3 | =1.17 | |
| Python 3 urllib3 | =1.18 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2016/10/27/6
- http://www.securityfocus.com/bid/93941
- https://nvd.nist.gov/vuln/detail/CVE-2016-9015
- https://web.archive.org/web/20210123184150/http://www.securityfocus.com/bid/93941
- https://github.com/urllib3/urllib3/commit/c32cdbc16a9634fa0f8c829d1270301570158715
- https://github.com/advisories/GHSA-v4w5-p2hg-8fh6 (Advisory)
- https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2017-98.yaml
Frequently Asked Questions
What is the severity of CVE-2016-9015?
CVE-2016-9015 has been classified as a high severity vulnerability due to the potential for man-in-the-middle attacks and information leakage.
How do I fix CVE-2016-9015?
To mitigate CVE-2016-9015, update the urllib3 library to version 1.18.1 or later.
Which versions are affected by CVE-2016-9015?
CVE-2016-9015 affects urllib3 versions 1.17 and 1.18.
What types of attacks are possible with CVE-2016-9015?
CVE-2016-9015 can lead to man-in-the-middle attacks and potential information leakage.
Who is at risk due to CVE-2016-9015?
Users of urllib3 versions 1.17 and 1.18 with specific configurations are at risk due to CVE-2016-9015.
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/weakness
- agent/description
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-v4w5-p2hg-8fh6
- alias/CVE-2016-9015
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/references
- agent/event
- collector/github-advisory
- agent/trending
- agent/source
- agent/author
- agent/tags
- agent/softwarecombine
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/pip
- vendor/python
- canonical/python 3 urllib3
- version/python 3 urllib3/1.17
- version/python 3 urllib3/1.18