Description

The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Remediation

References

CVE-2014-9365

Related Vulnerabilities

Apache Tomcat Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2013-2071)

WordPress Plugin Lightbox Gallery Cross-Site Scripting (0.9.4)

WordPress Plugin AdVert Cross-Site Scripting (1.0.5)

phpMyAdmin Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2016-6611)

Joomla Session Fixation Vulnerability (CVE-2010-1434)

Severity

Medium

Classification

CVE-2014-9365

Tags

Missing Update Known Vulnerabilities