VulnerableCode Package Details - pkg:deb/debian/python-urllib3@1.25.6-4?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-6kxp-qa5x-q3bq	The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.	CVE-2019-11324 GHSA-mh33-7rrq-662w PYSEC-2019-133
VCID-b3e6-k53t-bkgk	In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.	CVE-2019-11236 GHSA-r64q-w8jr-g9qp PYSEC-2019-132
VCID-squd-j9t3-9khh	urllib3 before 1.24.2 does not remove the authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the authorization header to be exposed to unintended hosts or transmitted in cleartext. NOTE: this issue exists because of an incomplete fix for CVE-2018-20060 (which was case-sensitive).	CVE-2018-25091 GHSA-gwvm-45gx-3cf8 PYSEC-2023-207

Vulnerability

Summary

Aliases

VCID-6kxp-qa5x-q3bq

The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.

CVE-2019-11324
GHSA-mh33-7rrq-662w
PYSEC-2019-133

VCID-b3e6-k53t-bkgk

In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.

CVE-2019-11236
GHSA-r64q-w8jr-g9qp
PYSEC-2019-132

VCID-squd-j9t3-9khh

urllib3 before 1.24.2 does not remove the authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the authorization header to be exposed to unintended hosts or transmitted in cleartext. NOTE: this issue exists because of an incomplete fix for CVE-2018-20060 (which was case-sensitive).

CVE-2018-25091
GHSA-gwvm-45gx-3cf8
PYSEC-2023-207

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T12:45:13.886541+00:00	Debian Importer	Fixing	VCID-6kxp-qa5x-q3bq	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:41:57.934439+00:00	Debian Importer	Fixing	VCID-b3e6-k53t-bkgk	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T08:54:39.869844+00:00	Debian Importer	Fixing	VCID-squd-j9t3-9khh	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T08:44:46.502777+00:00	Debian Importer	Fixing	VCID-6kxp-qa5x-q3bq	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T18:27:03.997896+00:00	Debian Importer	Fixing	VCID-b3e6-k53t-bkgk	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T17:58:48.928008+00:00	Debian Importer	Fixing	VCID-squd-j9t3-9khh	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:50:55.475473+00:00	Debian Importer	Fixing	VCID-6kxp-qa5x-q3bq	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:50:55.426278+00:00	Debian Importer	Fixing	VCID-b3e6-k53t-bkgk	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:50:55.380575+00:00	Debian Importer	Fixing	VCID-squd-j9t3-9khh	https://security-tracker.debian.org/tracker/data/json	38.1.0