CVE-2016-9015

3.7 LOW
Published: January 11, 2017 Modified: May 06, 2026
View on NVD

Description

Versions 1.17 and 1.18 of the Python urllib3 library suffer from a vulnerability that can cause them, in certain configurations, to not correctly validate TLS certificates. This places users of the library with those configurations at risk of man-in-the-middle and information leakage attacks. This vulnerability affects users using versions 1.17 and 1.18 of the urllib3 library, who are using the optional PyOpenSSL support for TLS instead of the regular standard library TLS backend, and who are using OpenSSL 1.1.0 via PyOpenSSL. This is an extremely uncommon configuration, so the security impact of this vulnerability is low.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/10/27/6
Source: cve@mitre.org
Mailing List Mitigation
http://www.securityfocus.com/bid/93941
Source: cve@mitre.org
Third Party Advisory VDB Entry
http://www.openwall.com/lists/oss-security/2016/10/27/6
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List Mitigation
http://www.securityfocus.com/bid/93941
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory VDB Entry

4 reference(s) from NVD

Quick Stats

CVSS v3 Score
3.7 / 10.0
EPSS (Exploit Probability)
0.0%
12th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-295

Affected Vendors

python

Related CVEs

CVE-2026-9278 N/A
CVE-2026-8935 N/A
CVE-2026-8386 N/A
CVE-2026-8385 N/A
CVE-2026-12223 5.5