CVE-2023-31486

Published: Apr 29, 2023Modified: Jan 30, 2025

8.1

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.2 / Impact: 5.9

Source: NVD

Description

HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.

Affected (2)

Products: Http\: \ · Perl: Perl

Http\

1 product

Perl

1 product

Perl

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Http\ \	Before 0.083

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Perl Perl	Before 5.38.0

Related CWEs

CWE-295

Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

References (21)

http://www.openwall.com/lists/oss-security/2023/04/29/1

Source: cve@mitre.org

Mailing ListPatch

http://www.openwall.com/lists/oss-security/2023/05/03/3

Source: cve@mitre.org

Mailing ListPatch

http://www.openwall.com/lists/oss-security/2023/05/03/5

Source: cve@mitre.org

Mailing List

http://www.openwall.com/lists/oss-security/2023/05/07/2

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/

Source: cve@mitre.org

MitigationPatchThird Party Advisory

https://github.com/chansen/p5-http-tiny/pull/153

Source: cve@mitre.org

Patch

https://hackeriet.github.io/cpan-http-tiny-overview/

Source: cve@mitre.org

Product

https://www.openwall.com/lists/oss-security/2023/04/18/14

Source: cve@mitre.org

Mailing ListPatch

https://www.openwall.com/lists/oss-security/2023/05/03/4

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://www.reddit.com/r/perl/comments/111tadi/psa_httptiny_disabled_ssl_verification_by_default/

Source: cve@mitre.org

Issue Tracking

http://www.openwall.com/lists/oss-security/2023/04/29/1