Description

The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Remediation

References

CVE-2014-9365

Related Vulnerabilities

TYPO3 Improper Input Validation Vulnerability (CVE-2013-7079)

Contao Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2012-4383)

osTicket Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2019-14748)

Oracle Application Server CVE-2009-1010 Vulnerability (CVE-2009-1010)

MySQL Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-3319)

Severity

Medium

Classification

CVE-2014-9365

Tags

Missing Update Known Vulnerabilities