8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
0.003 Low
EPSS
Percentile
68.9%
HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available
standalone on CPAN, has an insecure default TLS configuration where users
must opt in to verify certificates.
Author | Note |
---|---|
ccdm94 | It seems like upstream will not be fixing this issue due to the large risk that it might break things and in order to maintain backwards compatibility. As per the information available in https://metacpan.org/pod/HTTP::Tiny#SSL-SUPPORTIt, HTTP:Tiny aims to not make assumptions about trust models chosen by users, and, therefore, according to the documentation and upstream’s position regarding this issue (see p5-http-tiny issues 68 and 134), it is recommended that users set the verify_SSL option in their own code in order to apply certificate verification functionalities to their applications. Due to the risk of this issue introducing regressions and all that has been mentioned up to this point, releases will be marked as ignored. |
www.openwall.com/lists/oss-security/2023/04/29/1
www.openwall.com/lists/oss-security/2023/05/03/3
www.openwall.com/lists/oss-security/2023/05/03/5
blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/
github.com/chansen/p5-http-tiny/issues/134
hackeriet.github.io/cpan-http-tiny-overview/
launchpad.net/bugs/cve/CVE-2023-31486
nvd.nist.gov/vuln/detail/CVE-2023-31486
security-tracker.debian.org/tracker/CVE-2023-31486
www.cve.org/CVERecord?id=CVE-2023-31486
www.openwall.com/lists/oss-security/2023/04/18/14
www.openwall.com/lists/oss-security/2023/05/03/4
www.reddit.com/r/perl/comments/111tadi/psa_httptiny_disabled_ssl_verification_by_default/