Miggo Logo

CVE-2012-5825: Tweepy does not verify SSL Certificate

5.3

CVSS Score
3.1

Basic Information

EPSS Score
0.36038%
Published
5/17/2022
Updated
11/18/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
tweepypip< 3.03.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from Tweepy's use of Python's httplib without SSL certificate validation. Key evidence includes:

  1. The CVE description explicitly mentions httplib usage as the root cause
  2. The fix in PR #400 replaced httplib with Requests library which enforces proper SSL validation
  3. Historical code structure shows binder.py was responsible for HTTP connections
  4. The 'connect' function in binder.py would be the logical place where insecure HTTPSConnection was instantiated
  5. API class methods would propagate this vulnerability through the request stack While we can't see exact pre-3.0 code, the migration to Requests and CVE details strongly indicate these were the vulnerable entry points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Tw**py *o*s not v*ri*y t**t t** s*rv*r *ostn*m* m*t***s * *om*in n*m* in t** su*j**t's *ommon N*m* (*N) or su*j**t*ltN*m* *i*l* o* t** X.*** **rti*i**t*, w*i** *llows m*n-in-t**-mi**l* *tt**k*rs to spoo* SSL s*rv*rs vi* *n *r*itr*ry v*li* **rti*i**t*

Reasoning

T** vuln*r**ility st*ms *rom Tw**py's us* o* Pyt*on's *ttpli* wit*out SSL **rti*i**t* v*li**tion. K*y *vi**n** in*lu**s: *. T** *V* **s*ription *xpli*itly m*ntions *ttpli* us*** *s t** root **us* *. T** *ix in PR #*** r*pl**** *ttpli* wit* R*qu*sts l