Medium severity5.9NVD Advisory· Published Jul 17, 2017· Updated May 13, 2026

CVE-2017-1000007

Description

txAWS (all current versions) fail to perform complete certificate verification resulting in vulnerability to MitM attacks and information disclosure.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
txawsPyPI	< 0.4.0	0.4.0

Patches

46b66c3dc315

Merge pull request #26 from twisted/24.certificate.verification

https://github.com/twisted/txawsTristan SeligmannJan 9, 2017via ghsa

commit

2 files changed · +19 −1

txaws/service.py+7 −1 modified

@@ -2,6 +2,8 @@
 # Copyright (C) 2009 Robert Collins <robertc@robertcollins.net>
 # Licenced under the txaws licence available at /LICENSE in the txaws source.
 
+import warnings
+
 from txaws.credentials import AWSCredentials
 from txaws import regions
 from txaws.util import parse
@@ -42,12 +44,16 @@ class AWSServiceEndpoint(object):
         will be done when connecting to the endpoint.
     """
 
-    def __init__(self, uri="", method="GET", ssl_hostname_verification=False):
+    def __init__(self, uri="", method="GET", ssl_hostname_verification=True):
         self.host = ""
         self.port = None
         self.path = "/"
         self.method = method
         self.ssl_hostname_verification = ssl_hostname_verification
+        if not self.ssl_hostname_verification:
+            warnings.warn(
+                "Operating with certificate verification disabled!", stacklevel=2,
+            )
         self._parse_uri(uri)
         if not self.scheme:
             self.scheme = "http"

txaws/tests/test_service.py+12 −0 modified

@@ -21,6 +21,18 @@ class AWSServiceEndpointTestCase(TXAWSTestCase):
     def setUp(self):
         self.endpoint = AWSServiceEndpoint(uri="http://my.service/da_endpoint")
 
+    def test_warning_when_verification_disabled(self):
+        """
+        L{AWSServiceEndpoint} emits a warning when told not to perform
+        certificate verification.
+        """
+        self.assertWarns(
+            UserWarning,
+            "Operating with certificate verification disabled!",
+            __file__,
+            lambda: AWSServiceEndpoint(ssl_hostname_verification=False),
+        )
+
     def test_simple_creation(self):
         endpoint = AWSServiceEndpoint()
         self.assertEquals(endpoint.scheme, "http")

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-cggm-52qp-wvw7ghsaADVISORY
github.com/twisted/txaws/issues/24nvdIssue TrackingThird Party AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2017-1000007ghsaADVISORY
github.com/pypa/advisory-database/tree/main/vulns/txaws/PYSEC-2017-85.yamlghsaWEB
github.com/twisted/txaws/commit/46b66c3dc315de7b5896d60531311ec9658bc466ghsaWEB
github.com/twisted/txaws/pull/26ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.384
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000