CVE-2023-31486
Published: 29 April 2023
HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.
Notes
Author | Note |
---|---|
ccdm94 | It seems like upstream will not be fixing this issue due to the large risk that it might break things and in order to maintain backwards compatibility. As per the information available in https://metacpan.org/pod/HTTP::Tiny#SSL-SUPPORTIt, HTTP:Tiny aims to not make assumptions about trust models chosen by users, and, therefore, according to the documentation and upstream's position regarding this issue (see p5-http-tiny issues 68 and 134), it is recommended that users set the verify_SSL option in their own code in order to apply certificate verification functionalities to their applications. Due to the risk of this issue introducing regressions and all that has been mentioned up to this point, releases will be marked as ignored. |
Priority
Status
Package | Release | Status |
---|---|---|
libhttp-tiny-perl Launchpad, Ubuntu, Debian |
bionic |
Ignored
(see notes)
|
focal |
Ignored
(see notes)
|
|
jammy |
Ignored
(see notes)
|
|
kinetic |
Ignored
(end of life, was ignored [see notes])
|
|
lunar |
Ignored
(end of life, was ignored [see notes])
|
|
trusty |
Ignored
(end of standard support)
|
|
upstream |
Needed
|
|
xenial |
Ignored
(see notes)
|
|
perl Launchpad, Ubuntu, Debian |
bionic |
Ignored
(see notes)
|
focal |
Ignored
(see notes)
|
|
jammy |
Ignored
(see notes)
|
|
kinetic |
Ignored
(end of life, was ignored [see notes])
|
|
lunar |
Ignored
(end of life, was ignored [see notes])
|
|
trusty |
Ignored
(see notes)
|
|
upstream |
Needed
|
|
xenial |
Ignored
(see notes)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 8.1 |
Attack vector | Network |
Attack complexity | High |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
- https://www.openwall.com/lists/oss-security/2023/04/18/14
- https://github.com/chansen/p5-http-tiny/issues/134
- https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/
- https://hackeriet.github.io/cpan-http-tiny-overview/
- https://www.reddit.com/r/perl/comments/111tadi/psa_httptiny_disabled_ssl_verification_by_default/
- http://www.openwall.com/lists/oss-security/2023/04/29/1
- http://www.openwall.com/lists/oss-security/2023/05/03/3
- http://www.openwall.com/lists/oss-security/2023/05/03/5
- https://www.openwall.com/lists/oss-security/2023/05/03/4
- https://www.cve.org/CVERecord?id=CVE-2023-31486
- NVD
- Launchpad
- Debian