CVE-2014-9365
python: failure to validate certificates in the HTTP client with TLS (PEP 476)
Severity Score
4.7
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
2
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Los clientes HTTP en las librarias (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib en CPython (también conocido como Python) 2.x anterior a 2.7.9 y 3.x anterior a 3.4.3, cuando accede a una URL HTTPS, not (a) comprueba el certificado contra un almacen trust o verifica que elnombre del servidor coincide con un nombre de dominio en el campo del tema (b) Common Name o (c) subjectAltName del certificado X.509, lo que permite a atacantes man-in-the-middle falsificar servidores SSL a través de un certificado válido arbitrario.
The Python standard library HTTP client modules (such as httplib or urllib) did not perform verification of TLS/SSL certificates when connecting to HTTPS servers. A man-in-the-middle attacker could use this flaw to hijack connections and eavesdrop or modify transferred data.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2014-12-11 CVE Reserved
- 2014-12-12 CVE Published
- 2024-07-24 EPSS Updated
- 2024-08-06 CVE Updated
- 2024-08-06 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-345: Insufficient Verification of Data Authenticity
CAPEC
References (15)
| URL | Tag | Source |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2014/12/11/1 | Mailing List |
|
| http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html | X_refsource_confirm |
|
| http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html | X_refsource_confirm |
|
| http://www.securityfocus.com/bid/71639 | Vdb Entry | |
| https://support.apple.com/kb/HT205031 | X_refsource_confirm |
|
| https://www.python.org/downloads/release/python-279 | X_refsource_confirm |
| URL | Date | SRC |
|---|---|---|
| http://bugs.python.org/issue22417 | 2024-08-06 | |
| https://www.python.org/dev/peps/pep-0476 | 2024-08-06 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html | 2019-10-25 | |
| https://access.redhat.com/errata/RHSA-2016:1166 | 2019-10-25 | |
| https://access.redhat.com/errata/RHSA-2017:1162 | 2019-10-25 | |
| https://access.redhat.com/errata/RHSA-2017:1868 | 2019-10-25 | |
| https://security.gentoo.org/glsa/201503-10 | 2019-10-25 | |
| https://access.redhat.com/security/cve/CVE-2014-9365 | 2017-08-01 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1173041 | 2017-08-01 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 2.0 Search vendor "Python" for product "Python" and version "2.0" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 2.0.1 Search vendor "Python" for product "Python" and version "2.0.1" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 2.1 Search vendor "Python" for product "Python" and version "2.1" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 2.1.1 Search vendor "Python" for product "Python" and version "2.1.1" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 2.1.2 Search vendor "Python" for product "Python" and version "2.1.2" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 2.1.3 Search vendor "Python" for product "Python" and version "2.1.3" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 2.2 Search vendor "Python" for product "Python" and version "2.2" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 2.2.1 Search vendor "Python" for product "Python" and version "2.2.1" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 2.2.2 Search vendor "Python" for product "Python" and version "2.2.2" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 2.2.3 Search vendor "Python" for product "Python" and version "2.2.3" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 2.3.1 Search vendor "Python" for product "Python" and version "2.3.1" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 2.3.2 Search vendor "Python" for product "Python" and version "2.3.2" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 2.3.3 Search vendor "Python" for product "Python" and version "2.3.3" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 2.3.4 Search vendor "Python" for product "Python" and version "2.3.4" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 2.3.5 Search vendor "Python" for product "Python" and version "2.3.5" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 2.3.7 Search vendor "Python" for product "Python" and version "2.3.7" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 2.4.1 Search vendor "Python" for product "Python" and version "2.4.1" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 2.4.2 Search vendor "Python" for product "Python" and version "2.4.2" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 2.4.3 Search vendor "Python" for product "Python" and version "2.4.3" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 2.4.4 Search vendor "Python" for product "Python" and version "2.4.4" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 2.4.6 Search vendor "Python" for product "Python" and version "2.4.6" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 2.5.1 Search vendor "Python" for product "Python" and version "2.5.1" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 2.5.2 Search vendor "Python" for product "Python" and version "2.5.2" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 2.5.3 Search vendor "Python" for product "Python" and version "2.5.3" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 2.5.4 Search vendor "Python" for product "Python" and version "2.5.4" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 2.5.6 Search vendor "Python" for product "Python" and version "2.5.6" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 2.5.150 Search vendor "Python" for product "Python" and version "2.5.150" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 2.6.1 Search vendor "Python" for product "Python" and version "2.6.1" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 2.6.2 Search vendor "Python" for product "Python" and version "2.6.2" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 2.6.3 Search vendor "Python" for product "Python" and version "2.6.3" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 2.6.4 Search vendor "Python" for product "Python" and version "2.6.4" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 2.6.5 Search vendor "Python" for product "Python" and version "2.6.5" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 2.6.6 Search vendor "Python" for product "Python" and version "2.6.6" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 2.6.7 Search vendor "Python" for product "Python" and version "2.6.7" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 2.6.8 Search vendor "Python" for product "Python" and version "2.6.8" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 2.6.2150 Search vendor "Python" for product "Python" and version "2.6.2150" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 2.6.6150 Search vendor "Python" for product "Python" and version "2.6.6150" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 2.7.1 Search vendor "Python" for product "Python" and version "2.7.1" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 2.7.1 Search vendor "Python" for product "Python" and version "2.7.1" | rc1 |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 2.7.2 Search vendor "Python" for product "Python" and version "2.7.2" | rc1 |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 2.7.3 Search vendor "Python" for product "Python" and version "2.7.3" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 2.7.4 Search vendor "Python" for product "Python" and version "2.7.4" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 2.7.5 Search vendor "Python" for product "Python" and version "2.7.5" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 2.7.6 Search vendor "Python" for product "Python" and version "2.7.6" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 2.7.7 Search vendor "Python" for product "Python" and version "2.7.7" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 2.7.8 Search vendor "Python" for product "Python" and version "2.7.8" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 2.7.1150 Search vendor "Python" for product "Python" and version "2.7.1150" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 2.7.1150 Search vendor "Python" for product "Python" and version "2.7.1150" | x64 |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 2.7.2150 Search vendor "Python" for product "Python" and version "2.7.2150" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.0 Search vendor "Python" for product "Python" and version "3.0" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.0.1 Search vendor "Python" for product "Python" and version "3.0.1" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.1 Search vendor "Python" for product "Python" and version "3.1" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.1.1 Search vendor "Python" for product "Python" and version "3.1.1" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.1.2 Search vendor "Python" for product "Python" and version "3.1.2" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.1.3 Search vendor "Python" for product "Python" and version "3.1.3" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.1.4 Search vendor "Python" for product "Python" and version "3.1.4" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.1.5 Search vendor "Python" for product "Python" and version "3.1.5" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.1.2150 Search vendor "Python" for product "Python" and version "3.1.2150" | x64 |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.2 Search vendor "Python" for product "Python" and version "3.2" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.2 Search vendor "Python" for product "Python" and version "3.2" | alpha |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.2.0 Search vendor "Python" for product "Python" and version "3.2.0" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.2.1 Search vendor "Python" for product "Python" and version "3.2.1" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.2.2 Search vendor "Python" for product "Python" and version "3.2.2" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.2.3 Search vendor "Python" for product "Python" and version "3.2.3" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.2.4 Search vendor "Python" for product "Python" and version "3.2.4" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.2.5 Search vendor "Python" for product "Python" and version "3.2.5" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.2.6 Search vendor "Python" for product "Python" and version "3.2.6" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.2.2150 Search vendor "Python" for product "Python" and version "3.2.2150" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.3 Search vendor "Python" for product "Python" and version "3.3" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.3 Search vendor "Python" for product "Python" and version "3.3" | beta2 |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.3.0 Search vendor "Python" for product "Python" and version "3.3.0" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.3.1 Search vendor "Python" for product "Python" and version "3.3.1" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.3.1 Search vendor "Python" for product "Python" and version "3.3.1" | rc1 |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.3.2 Search vendor "Python" for product "Python" and version "3.3.2" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.3.3 Search vendor "Python" for product "Python" and version "3.3.3" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.3.3 Search vendor "Python" for product "Python" and version "3.3.3" | rc1 |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.3.3 Search vendor "Python" for product "Python" and version "3.3.3" | rc2 |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.3.4 Search vendor "Python" for product "Python" and version "3.3.4" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.3.4 Search vendor "Python" for product "Python" and version "3.3.4" | rc1 |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.3.5 Search vendor "Python" for product "Python" and version "3.3.5" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.3.5 Search vendor "Python" for product "Python" and version "3.3.5" | rc1 |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.3.5 Search vendor "Python" for product "Python" and version "3.3.5" | rc2 |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.3.6 Search vendor "Python" for product "Python" and version "3.3.6" | rc1 |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.4 Search vendor "Python" for product "Python" and version "3.4" | alpha1 |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.4.0 Search vendor "Python" for product "Python" and version "3.4.0" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.4.1 Search vendor "Python" for product "Python" and version "3.4.1" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.4.2 Search vendor "Python" for product "Python" and version "3.4.2" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Mac Os X Search vendor "Apple" for product "Mac Os X" | <= 10.10.4 Search vendor "Apple" for product "Mac Os X" and version " <= 10.10.4" | - |
Affected
| ||||||