3.7

CVSS Score

3.0

Basic Information

CVE ID

CVE-2016-9015

GHSA ID

GHSA-v4w5-p2hg-8fh6

EPSS Score

0.66967%

CWE

CWE-295

Published

5/17/2022

Updated

11/18/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2016-9015

CVE-2016-9015: Urllib3 Incorrect Certificate Validation

Versions 1.17 and 1.18 of the Python urllib3 library suffer from a vulnerability that can cause them, in certain configurations, to not correctly validate TLS certificates. This places users of the library with those configurations at risk of man-in-the-middle and information leakage attacks. This vulnerability affects users using versions 1.17 and 1.18 of the urllib3 library, who are using the optional PyOpenSSL support for TLS instead of the regular standard library TLS backend, and who are using OpenSSL 1.1.0 via PyOpenSSL. This is an extremely uncommon configuration, so the security impact of this vulnerability is low.

(GitHub Advisory)

3.7

CVSS Score

3.0

Basic Information

CVE ID

CVE-2016-9015

GHSA ID

GHSA-v4w5-p2hg-8fh6

EPSS Score

0.66967%

CWE

CWE-295

Published

5/17/2022

Updated

11/18/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
urllib3	pip	>= 1.17, <= 1.18	1.18.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from incorrect mapping between Python's ssl.CERT_* constants and OpenSSL verify flags. The commit diff shows critical changes in PyOpenSSLContext.verify_mode.setter and ssl_wrap_socket where certificate validation flags were improperly set using direct value mappings rather than proper OpenSSL flag combinations. This caused OpenSSL 1.1.0 to misinterpret validation requirements (e.g., treating CERT_REQUIRED as 2 instead of VERIFY_PEER+VERIFY_FAIL_IF_NO_PEER_CERT=1+2=3). Both functions directly handled certificate verification configuration and were modified in the security patch to use proper flag mappings.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions *.** *n* *.** o* t** Pyt*on urlli** li*r*ry su***r *rom * vuln*r**ility t**t **n **us* t**m, in **rt*in *on*i*ur*tions, to not *orr**tly v*li**t* TLS **rti*i**t*s. T*is pl***s us*rs o* t** li*r*ry wit* t*os* *on*i*ur*tions *t risk o* m*n-in-

Reasoning

T** vuln*r**ility st*ms *rom in*orr**t m*ppin* **tw**n Pyt*on's ssl.**RT_* *onst*nts *n* Op*nSSL v*ri*y *l**s. T** *ommit *i** s*ows *riti**l ***n**s in PyOp*nSSL*ont*xt.v*ri*y_mo**.s*tt*r *n* ssl_wr*p_so*k*t w**r* **rti*i**t* v*li**tion *l**s w*r* i

3.7

Basic Information

Concerned about an active attack path?

CVE-2016-9015: Urllib3 Incorrect Certificate Validation

3.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI