{"api_version":"1","generated_at":"2026-04-22T20:52:29+00:00","cve":"CVE-2019-11324","urls":{"html":"https://cve.report/CVE-2019-11324","api":"https://cve.report/api/cve/CVE-2019-11324.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2019-11324","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2019-11324"},"summary":{"title":"CVE-2019-11324","description":"The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2019-04-18 21:29:00","updated_at":"2023-11-07 03:02:00"},"problem_types":["CWE-295"],"metrics":[],"references":[{"url":"https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html","name":"[debian-lts-announce] 20210615 [SECURITY] [DLA 2686-1] python-urllib3 security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 2686-1] python-urllib3 security update","mime":"text/html","httpstatus":"200","archivestatus":"503"},{"url":"https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html","name":"[debian-lts-announce] 20231008 [SECURITY] [DLA 3610-1] python-urllib3 security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 3610-1] python-urllib3 security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://www.openwall.com/lists/oss-security/2019/04/19/1","name":"[oss-security] 20190418 Re: urllib3: adds system certificates to ssl_context","refsource":"MLIST","tags":["Mailing List","Third Party Advisory"],"title":"oss-security - Re: urllib3: adds system certificates to ssl_context","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://usn.ubuntu.com/3990-1/","name":"USN-3990-1","refsource":"UBUNTU","tags":["Third Party Advisory"],"title":"USN-3990-1: urllib3 vulnerabilities | Ubuntu security notices","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://access.redhat.com/errata/RHSA-2019:3590","name":"RHSA-2019:3590","refsource":"REDHAT","tags":[],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/urllib3/urllib3/compare/a6ec68a...1efadf4","name":"https://github.com/urllib3/urllib3/compare/a6ec68a...1efadf4","refsource":"MISC","tags":["Patch","Third Party Advisory"],"title":"Comparing a6ec68a...1efadf4 · urllib3/urllib3 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XOSA2NT4DUQDBEIWE6O7KKD24XND7TE2/","name":"FEDORA-2020-d0d9ad17d8","refsource":"","tags":[],"title":"[SECURITY] Fedora 30 Update: python-pip-19.0.3-6.fc30 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00041.html","name":"openSUSE-SU-2019:2133","refsource":"SUSE","tags":[],"title":"[security-announce] openSUSE-SU-2019:2133-1: moderate: Security update f","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NKGPJLVLVYCL4L4B4G5TIOTVK4BKPG72/","name":"FEDORA-2020-6148c44137","refsource":"","tags":[],"title":"[SECURITY] Fedora 31 Update: python-pip-19.1.1-7.fc31 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://access.redhat.com/errata/RHSA-2019:3335","name":"RHSA-2019:3335","refsource":"REDHAT","tags":[],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NKGPJLVLVYCL4L4B4G5TIOTVK4BKPG72/","name":"FEDORA-2020-6148c44137","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 31 Update: python-pip-19.1.1-7.fc31 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XOSA2NT4DUQDBEIWE6O7KKD24XND7TE2/","name":"FEDORA-2020-d0d9ad17d8","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 30 Update: python-pip-19.0.3-6.fc30 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00039.html","name":"openSUSE-SU-2019:2131","refsource":"SUSE","tags":[],"title":"[security-announce] openSUSE-SU-2019:2131-1: moderate: Security update f","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2019-11324","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-11324","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2019","cve_id":"11324","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"16.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"11324","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"18.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"11324","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"18.10","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"11324","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"19.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"11324","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"16.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"11324","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"18.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"11324","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"18.10","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"11324","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"19.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"11324","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"python","cpe5":"urllib3","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"11324","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"python","cpe5":"urllib3","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2019-11324","qid":"159655","title":"Oracle Enterprise Linux Security Update for python27:2.7 (ELSA-2020-1605)"},{"cve":"CVE-2019-11324","qid":"159668","title":"Oracle Enterprise Linux Security Update for python27:2.7 security and bug fix update (ELSA-2019-3335)"},{"cve":"CVE-2019-11324","qid":"178673","title":"Debian Security Update for python-urllib3 (DLA 2686-1)"},{"cve":"CVE-2019-11324","qid":"377534","title":"Alibaba Cloud Linux Security Update for python-pip (ALINUX2-SA-2020:0030)"},{"cve":"CVE-2019-11324","qid":"377557","title":"Alibaba Cloud Linux Security Update for python27:2.7 (ALINUX3-SA-2022:0112)"},{"cve":"CVE-2019-11324","qid":"6000046","title":"Debian Security Update for python-urllib3 (DLA 3610-1)"},{"cve":"CVE-2019-11324","qid":"670234","title":"EulerOS Security Update for python-urllib3 (EulerOS-SA-2021-1842)"},{"cve":"CVE-2019-11324","qid":"940120","title":"AlmaLinux Security Update for python27:2.7 (ALSA-2020:1605)"},{"cve":"CVE-2019-11324","qid":"940202","title":"AlmaLinux Security Update for python27:2.7 (ALSA-2019:3335)"},{"cve":"CVE-2019-11324","qid":"982225","title":"Python (pip) Security Update for urllib3 (GHSA-mh33-7rrq-662w)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2019-11324","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://github.com/urllib3/urllib3/compare/a6ec68a...1efadf4","refsource":"MISC","name":"https://github.com/urllib3/urllib3/compare/a6ec68a...1efadf4"},{"refsource":"MLIST","name":"[oss-security] 20190418 Re: urllib3: adds system certificates to ssl_context","url":"http://www.openwall.com/lists/oss-security/2019/04/19/1"},{"refsource":"UBUNTU","name":"USN-3990-1","url":"https://usn.ubuntu.com/3990-1/"},{"refsource":"SUSE","name":"openSUSE-SU-2019:2131","url":"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00039.html"},{"refsource":"SUSE","name":"openSUSE-SU-2019:2133","url":"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00041.html"},{"refsource":"REDHAT","name":"RHSA-2019:3590","url":"https://access.redhat.com/errata/RHSA-2019:3590"},{"refsource":"REDHAT","name":"RHSA-2019:3335","url":"https://access.redhat.com/errata/RHSA-2019:3335"},{"refsource":"FEDORA","name":"FEDORA-2020-6148c44137","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NKGPJLVLVYCL4L4B4G5TIOTVK4BKPG72/"},{"refsource":"FEDORA","name":"FEDORA-2020-d0d9ad17d8","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XOSA2NT4DUQDBEIWE6O7KKD24XND7TE2/"},{"refsource":"MLIST","name":"[debian-lts-announce] 20210615 [SECURITY] [DLA 2686-1] python-urllib3 security update","url":"https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html"},{"refsource":"MLIST","name":"[debian-lts-announce] 20231008 [SECURITY] [DLA 3610-1] python-urllib3 security update","url":"https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html"}]}},"nvd":{"publishedDate":"2019-04-18 21:29:00","lastModifiedDate":"2023-11-07 03:02:00","problem_types":["CWE-295"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:python:urllib3:*:*:*:*:*:*:*:*","versionEndExcluding":"1.24.2","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2019","CveId":"11324","Ordinal":"149612","Title":"CVE-2019-11324","CVE":"CVE-2019-11324","Year":"2019"},"notes":[{"CveYear":"2019","CveId":"11324","Ordinal":"1","NoteData":"The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.","Type":"Description","Title":null},{"CveYear":"2019","CveId":"11324","Ordinal":"2","NoteData":"2019-04-18","Type":"Other","Title":"Published"},{"CveYear":"2019","CveId":"11324","Ordinal":"3","NoteData":"2021-06-15","Type":"Other","Title":"Modified"}]}}}