CVE-2021-28363 Overview
CVE-2021-28363 is an Improper Certificate Validation vulnerability affecting the Python urllib3 library versions 1.26.x before 1.26.4. The vulnerability occurs when establishing HTTPS connections through HTTPS proxies, where the library fails to properly verify the hostname of the proxy's SSL certificate. This means that certificates intended for different servers—but still technically valid according to the default urllib3 SSLContext—will be silently accepted without proper hostname verification.
Critical Impact
Applications using affected urllib3 versions with HTTPS proxies are vulnerable to man-in-the-middle attacks, potentially exposing sensitive data transmitted through proxy connections.
Affected Products
- Python urllib3 1.26.x before 1.26.4
- Fedora Project Fedora 34
- Oracle PeopleSoft Enterprise PeopleTools 8.59
Discovery Timeline
- March 15, 2021 - CVE-2021-28363 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2021-28363
Vulnerability Analysis
This vulnerability stems from incomplete SSL/TLS certificate validation in the urllib3 library's HTTPS proxy handling code. When a Python application configured to use an HTTPS proxy makes a connection, the initial TLS handshake with the proxy server does not include hostname verification unless a custom SSLContext is explicitly provided via the proxy_config parameter.
The core issue lies in how urllib3 initializes SSL contexts for proxy connections. While the library properly validates that the certificate chain is trusted, it neglects to verify that the certificate's Subject Alternative Name (SAN) or Common Name (CN) matches the hostname of the proxy being connected to. This oversight creates a window for attackers to present valid certificates issued for different domains while intercepting proxy traffic.
Root Cause
The root cause is the missing check_hostname = True setting on the SSL context used for HTTPS proxy connections. By default, urllib3 disables check_hostname and relies on a custom verification implementation. However, for proxy connections, this custom check was not being applied, leaving hostname verification disabled entirely. The fix adds explicit hostname checking for proxy connections by setting ssl_context.check_hostname = True in the connection handling code.
Attack Vector
An attacker positioned between a client and an HTTPS proxy can perform a man-in-the-middle attack by presenting any valid SSL certificate (even one issued for a completely different domain). Since hostname verification is not performed, the client will accept the certificate as long as:
- The certificate is signed by a trusted Certificate Authority
- The certificate is not expired or revoked
This allows the attacker to intercept, read, and potentially modify all traffic passing through the proxy connection, including authentication credentials and sensitive application data.
self.ca_cert_dir,
self.ca_cert_data,
)
+ # By default urllib3's SSLContext disables `check_hostname` and uses
+ # a custom check. For proxies we're good with relying on the default
+ # verification.
+ ssl_context.check_hostname = True
# If no cert was provided, use only the default options for server
# certificate validation
Source: GitHub Commit 8d65ea1ecf6e2cdc27d42124e587c1b83a3118b0
Detection Methods for CVE-2021-28363
Indicators of Compromise
- Unexpected SSL certificate warnings or mismatches in application logs when connecting through HTTPS proxies
- Network traffic analysis showing TLS connections to proxies with certificates that don't match the expected proxy hostname
- Python dependency audit reports flagging urllib3 versions between 1.26.0 and 1.26.3
Detection Strategies
- Run pip show urllib3 or check requirements.txt files to identify vulnerable versions in the 1.26.x range prior to 1.26.4
- Implement software composition analysis (SCA) tools to continuously monitor Python dependencies for known vulnerabilities
- Review network traffic for anomalous certificate presentations during proxy connections using tools like Wireshark or network security monitoring solutions
Monitoring Recommendations
- Enable verbose SSL logging in Python applications to capture certificate validation details during proxy connections
- Deploy network intrusion detection systems to identify potential man-in-the-middle attack patterns on proxy connections
- Implement certificate pinning monitoring to detect unexpected certificate changes for known HTTPS proxies
How to Mitigate CVE-2021-28363
Immediate Actions Required
- Upgrade urllib3 to version 1.26.4 or later immediately using pip install --upgrade urllib3>=1.26.4
- Audit all Python applications and virtual environments for affected urllib3 versions
- If immediate upgrade is not possible, provide a custom SSLContext with check_hostname = True via the proxy_config parameter
Patch Information
The vulnerability is fixed in urllib3 version 1.26.4 and later. The patch adds explicit hostname verification for HTTPS proxy connections by setting check_hostname = True on the SSL context. Organizations should update their dependencies through standard package management:
- PyPI urllib3 Release 1.26.4
- GitHub Security Advisory GHSA-5phf-pp7p-vc2r
- Oracle CPU October 2021 Security Alert for PeopleSoft Enterprise PeopleTools
Workarounds
- Explicitly pass a properly configured SSLContext with check_hostname = True via the proxy_config parameter when creating proxy connections
- Avoid using HTTPS proxies with vulnerable urllib3 versions; consider using HTTP proxies with end-to-end TLS to the destination server instead
- Implement network-level certificate validation or proxy authentication to add additional layers of protection
# Upgrade urllib3 to patched version
pip install --upgrade "urllib3>=1.26.4"
# Verify installed version
pip show urllib3 | grep Version
# Check for vulnerable versions in requirements files
grep -r "urllib3" requirements*.txt | grep -E "1\.26\.[0-3]"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
