New Search

The HTTP clients in the (1) httplib (2) urllib (3) urllib2 and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3 – CVE-2014-9365

oval:org.cisecurity:def:1255

The HTTP clients in the (1) httplib (2) urllib (3) urllib2 and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3 when accessing an HTTPS URL do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Family:
windows
Status:
ACCEPTED
Platform(s):
  • Microsoft Windows Server 2012
  • Microsoft Windows Server 2008 R2
  • Microsoft Windows 8.1
  • Microsoft Windows 7
  • Microsoft Windows 8
  • Microsoft Windows 10
  • Microsoft Windows Server 2012 R2
Class:
vulnerability
Reference(s):
  • CVE-2014-9365
Product(s):
  • Python