ALAS2-2022-1742 --- python-pipID: oval:org.secpod.oval:def:1700797 | Date: (C)2022-02-01 (M)2023-11-13 |
Class: PATCH | Family: unix |
A flaw was found in python-urllib3. SSL certificate validation is omitted in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted. A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity
Product: |
python-pip |
python2-pip |
python3-pip |