CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
75.5%
CPAN.pm before 2.35 does not verify TLS certificates when downloading
distributions over HTTPS.
Author | Note |
---|---|
ccdm94 | the fix released to cpanpm (commit 9c98370) can be applied to the perl codebase to fix the issue. The perl upstream has fixed the issue through commit 96ea0b9b, which is actually an import of CPAN v2.36. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | perl | < 5.26.1-6ubuntu0.7 | UNKNOWN |
ubuntu | 20.04 | noarch | perl | < 5.30.0-9ubuntu0.4 | UNKNOWN |
ubuntu | 22.04 | noarch | perl | < 5.34.0-3ubuntu1.2 | UNKNOWN |
ubuntu | 22.10 | noarch | perl | < 5.34.0-5ubuntu1.2 | UNKNOWN |
ubuntu | 23.04 | noarch | perl | < 5.36.0-7ubuntu0.23.04.1 | UNKNOWN |
ubuntu | 14.04 | noarch | perl | < 5.18.2-2ubuntu1.7+esm5 | UNKNOWN |
ubuntu | 16.04 | noarch | perl | < 5.22.1-9ubuntu0.9+esm2 | UNKNOWN |
www.openwall.com/lists/oss-security/2023/04/29/1
www.openwall.com/lists/oss-security/2023/05/03/3
www.openwall.com/lists/oss-security/2023/05/03/5
blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/
github.com/andk/cpanpm/commit/9c98370287f4e709924aee7c58ef21c85289a7f0 (2.35-TRIAL)
github.com/andk/cpanpm/pull/175
launchpad.net/bugs/cve/CVE-2023-31484
metacpan.org/dist/CPAN/changes
nvd.nist.gov/vuln/detail/CVE-2023-31484
security-tracker.debian.org/tracker/CVE-2023-31484
ubuntu.com/security/notices/USN-6112-1
ubuntu.com/security/notices/USN-6112-2
www.cve.org/CVERecord?id=CVE-2023-31484
www.openwall.com/lists/oss-security/2023/04/18/14