CVE-2014-9365

Severity

57%

Complexity

86%

Confidentiality

81%

CWE-295: Improper Certificate Validation

The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CWE-295: Improper Certificate Validation

CVSS 2.0 Base Score 5.8. CVSS Attack Vector: network. CVSS Attack Complexity: medium. CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N).

Overview

First reported 10 years ago

2014-12-12 11:59:00

Last updated 5 years ago

2019-10-25 11:53:00

Affected Software

Python 2.0

2.0

Python 2.0.1

2.0.1

Python 2.1

2.1

Python 2.1.1

2.1.1

Python 2.1.2

2.1.2

Python 2.1.3

2.1.3

Python 2.2

2.2

Python 2.2.1

2.2.1

Python 2.2.2

2.2.2

Python 2.2.3

2.2.3

Python 2.3.1

2.3.1

Python 2.3.2

2.3.2

Python 2.3.3

2.3.3

Python 2.3.4

2.3.4

Python 2.3.5

2.3.5

Python 2.3.7

2.3.7

Python 2.4.1

2.4.1

Python 2.4.2

2.4.2

Python Python 2.4.3

2.4.3

Python 2.4.4

2.4.4

Python 2.4.6

2.4.6

Python 2.5.1

2.5.1

Python 2.5.2

2.5.2

Python 2.5.3

2.5.3

Python 2.5.4

2.5.4

Python 2.5.6

2.5.6

Python 2.5.150

2.5.150

Python 2.6.1

2.6.1

Python 2.6.2

2.6.2

Python 2.6.3

2.6.3

Python 2.6.4

2.6.4

Python 2.6.5

2.6.5

Python 2.6.6

2.6.6

Python 2.6.7

2.6.7

Python 2.6.8

2.6.8

Python 2.6.2150

2.6.2150

Python 2.6.6150

2.6.6150

Python 2.7.1

2.7.1

Python 2.7.1 Release Candiate 1

2.7.1

Python 2.7.2 Release Candidate 1

2.7.2

Python 2.7.3

2.7.3

Python 2.7.4

2.7.4

Python 2.7.5

2.7.5

Python 2.7.6

2.7.6

Python 2.7.7

2.7.7

Python 2.7.8

2.7.8

Python 2.7.1150

2.7.1150

Python 2.7.1150 (x64) 64-bit

2.7.1150

Python 2.7.2150

2.7.2150

Python 3.0

3.0

Python 3.0.1

3.0.1

Python 3.1

3.1

Python 3.1.1

3.1.1

Python 3.1.2

3.1.2

Python 3.1.3

3.1.3

Python 3.1.4

3.1.4

Python 3.1.5

3.1.5

Python 3.1.2150 (x64) 64-bit

3.1.2150

Python 3.2

3.2

Python 3.2-alpha

3.2

Python 3.2.0

3.2.0

Python 3.2.1

3.2.1

Python 3.2.2

3.2.2

Python 3.2.3

3.2.3

Python 3.2.4

3.2.4

Python 3.2.5

3.2.5

Python 3.2.6

3.2.6

Python 3.2.2150

3.2.2150

Python 3.3

3.3

Python 3.3 beta 2

3.3

Python 3.3.0

3.3.0

Python 3.3.1

3.3.1

Python 3.3.1 release candidate 1

3.3.1

Python 3.3.2

3.3.2

Python 3.3.3

3.3.3

Python 3.3. release candidate 1

3.3.3

Python 3.3.3 release candidate 2

3.3.3

Python 3.3.4

3.3.4

Python 3.3.4 release candidate 1

3.3.4

Python 3.3.5

3.3.5

Python 3.3.5 release candidate 1

3.3.5

Python 3.3.5 release candidate 2

3.3.5

Python 3.3.6 release candidate 1

3.3.6

Python 3.4 alpha 1

3.4

Python 3.4.0

3.4.0

Python 3.4.1

3.4.1

Python 3.4.2

3.4.2

Apple Mac OS X

References

http://bugs.python.org/issue22417

Exploit

APPLE-SA-2015-08-13-2

[oss-security] 20141211 CVE request: Python, standard library HTTP clients

http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html

http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html

71639

RHSA-2016:1166

RHSA-2017:1162

RHSA-2017:1868

GLSA-201503-10

https://support.apple.com/kb/HT205031

https://www.python.org/dev/peps/pep-0476/

Exploit, Vendor Advisory

https://www.python.org/downloads/release/python-279/

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.