CVE-2016-9015

CVSS V2 Low 2.6 CVSS V3 Low 3.7
Description
Versions 1.17 and 1.18 of the Python urllib3 library suffer from a vulnerability that can cause them, in certain configurations, to not correctly validate TLS certificates. This places users of the library with those configurations at risk of man-in-the-middle and information leakage attacks. This vulnerability affects users using versions 1.17 and 1.18 of the urllib3 library, who are using the optional PyOpenSSL support for TLS instead of the regular standard library TLS backend, and who are using OpenSSL 1.1.0 via PyOpenSSL. This is an extremely uncommon configuration, so the security impact of this vulnerability is low.
Overview
  • CVE ID
  • CVE-2016-9015
  • Assigner
  • cve@mitre.org
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2017-01-11T16:59:00
  • Last Modified Date
  • 2017-01-13T13:09:19
Weakness Enumerations
CWE URL
CWE-295 http://cwe.mitre.org/data/definitions/295.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:python:urllib3:1.17:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:python:urllib3:1.18:*:*:*:*:*:*:* 1 OR
CVSS Version 2
  • Version
  • 2.0
  • Vector String
  • AV:N/AC:H/Au:N/C:P/I:N/A:N
  • Access Vector
  • NETWORK
  • Access Compatibility
  • HIGH
  • Authentication
  • NONE
  • Confidentiality Impact
  • PARTIAL
  • Integrity Impact
  • NONE
  • Availability Impact
  • NONE
  • Base Score
  • 2.6
  • Severity
  • LOW
  • Exploitability Score
  • 4.9
  • Impact Score
  • 2.9
CVSS Version 3
  • Version
  • 3.0
  • Vector String
  • CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
  • Attack Vector
  • NETWORK
  • Attack Compatibility
  • HIGH
  • Privileges Required
  • NONE
  • User Interaction
  • NONE
  • Scope
  • UNCHANGED
  • Confidentiality Impact
  • LOW
  • Availability Impact
  • NONE
  • Base Score
  • 3.7
  • Base Severity
  • LOW
  • Exploitability Score
  • 2.2
  • Impact Score
  • 1.4
References
Reference URL Reference Tags
http://www.securityfocus.com/bid/93941 Third Party Advisory VDB Entry
http://www.openwall.com/lists/oss-security/2016/10/27/6 Mailing List Mitigation
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2016-9015
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9015
History
Created Old Value New Value Data Type Notes
2022-05-10 09:50:38 Added to TrackCVE
2022-12-02 12:46:52 2017-01-11T16:59Z 2017-01-11T16:59:00 CVE Published Date updated
2022-12-02 12:46:52 2017-01-13T13:09:19 CVE Modified Date updated
2022-12-02 12:46:52 Analyzed Vulnerability Status updated